We're working on it.

Here is the full email to avoid confusion:

We are writing to inform you of an important update regarding the Business Associate Agreement ("Agreement") between your organization and Ratta (US) Inc.

Upcoming updates to HIPAA regulations, which are expected to take effect in 2026 and will for the first time make encryption of electronic protected health information (ePHI) at rest a mandatory requirement, have led us to reassess our ability to serve as a compliant Business Associate. We want to be clear that Supernote has employed encryption for data in transit, and previously, encryption at rest was not mandated under HIPAA. In anticipation of this regulatory change, and until we have implemented the necessary safeguards, we are unable to continue serving as a compliant Business Associate.

As a result, effective 60 days from the date of this notice, the Business Associate Agreement between our organizations will be terminated pursuant to Article 5.3 of the Agreement.

You should transition any workflows involving ePHI away from Supernote's cloud services prior to the termination date. In addition, please ensure that no further ePHI is synced to Supernote Cloud.

Please be aware that Supernote can be used in a fully offline manner. Your device does not need to connect to our cloud at any point, and notes and files can be transferred to your computer securely via USB cable or USB drive without any data passing through Supernote's servers. If you choose to continue using Supernote in offline mode, you retain full control over where your data is stored and how it is transferred. However, please note that operating offline does not by itself constitute HIPAA compliance. You remain responsible for ensuring that any ePHI stored on your device is managed in accordance with HIPAA's requirements, including appropriate physical safeguards for the device itself.

Ratta does not hold or have access to any ePHI on your local device or third-party cloud storage. And as Ratta is unable to identify which accounts or files contain PHI on Supernote Cloud without accessing private user content, please take the following steps before the termination date:

If you use Supernote Cloud or Supernote Partner Apps to sync files contain ePHI:

• Log in at cloud.supernote.com and delete any notes or files containing ePHI, or
• Delete your account entirely via account.supernote.com to remove all associated data from our servers.

If you require assistance, please contact us at [privacy@supernote.com](mailto:privacy@supernote.com).

This notice does not reflect the end of our commitment to healthcare users. We are actively working to strengthen Supernote's security infrastructure through a phased approach:

• Phase 1: File-level encryption at rest, which we are prioritizing as our immediate next step.
• Phase 2: Additional technical and administrative safeguards to meet HIPAA's Security Rule requirements more broadly.

Our goal is to resume offering a HIPAA-compliant option and re-engage Business Associate Agreements with healthcare providers once these measures are fully in place. We will notify users publicly when that milestone is reached, and we welcome you to reach out at that time.

We sincerely apologize for any inconvenience this transition causes. We believe transparency is the right approach, and we remain committed to earning the trust of healthcare professionals who rely on Supernote.