Is My Document Scanning App HIPAA Compliant?

published on 25 February 2021

Mobile document scanning apps have become a commonly used tool by field clinicians for a good reason. They allow for paperwork, insurance cards, and more, to easily be scanned and sent off to another team member or the back office in real-time.

Products like CamScanner, Adobe Scan, and TurboScan offer this half of the equation - the ability to scan and send documents. However, these and similar apps were developed for consumer use, and they lack the other half of the equation - HIPAA compliance. But what exactly makes a document scanner app HIPAA compliant? Here are a few things to look out for:

  • Will the company sign a BAA?

    Since your patient's PHI will be flowing through a third-party scanning application you're required to have a BAA (Business Associate Agreement) with the company to ensure the basic standards of HIPAA compliance.

    At EncryptScan, we offer a BAA that meets all of the requirements to all of our clients, and we also carry Cyber Liability Insurance.

  • Are your documents encrypted at rest and in transit?

    Just because you've signed a BAA does not mean you are out of the woods. Small practices are increasingly becoming the victims of cyber attacks because oftentimes they are the easiest targets due to antiquated security measures.

    EncryptScan secures your documents at rest using AES256, which was established by the U.S. National Institute of Standards and Technology (NIST) and has been adopted as the standard encryption of the government. During transit, your documents are just as secure through the use of HTTPS and TLS 1.2 or greater.

  •  Does the app provide audit trails?

    When dealing with any sort of PHI, audit logs are crucial to ensure compliance with HITRUST and HIPAA. You'll want to be able to track who created, modified, or otherwise performed any action on documents containing PHI. 

    EncryptScan logs all actions performed on your documents, including what user performed the action and at what time. Even after a document is deleted from EncryptScan, audit logs are maintained to comply with reporting & compliance regulations to help you in the event of an audit.

  • Does the app offer a way to securely upload my documents?

    After a document is scanned, it will need to be delivered electronically to the appropriate team member to continue through your workflow. Not only that, but you'll want a standardized process across your entire field staff.

    Many consumer scanning apps allow for the ability to send over email, export the document to the device, and upload it to various different cloud providers. So many options can quickly spell disaster for the efficiency of your back-office staff, but most importantly, these methods aren't secure and mean sensitive documents could end up in multiple insecure locations, such as an employee's personal Google Drive.

    EncryptScan standardizes the process by allowing upload only to our secure cloud storage where the documents can be immediately accessed by back-office staff from a web browser. 

Learn how EncryptScan can improve staff efficiency & protect you from a costly breach.