Digitization projects encompass a whole bunch of pieces – hard copy materials, contracting, project scoping, transportation, digital delivery, and more. 

That’s the exciting stuff – but what about how your records are processed? What about the security measures in place to protect your data? 

Compliance is mostly in the background, kind of like air – you don’t realize it’s there until it’s not. 

In this article we’ll give you a few ways to check your scanning partner so you can confirm that your records are being processed properly and being protected as best they can be.

Why Compliance Standards Matter

Compliance standards serve as essential guidelines to help you select a reliable scanning partner. These standards can include industry best practices, certifications, and third-party audits and verifications.

While compliance standards and scanning guidelines hold importance across all types of projects, they’re indispensable for those involving sensitive materials like medical records, criminal records, confidential files, or student records.

Compliance words on blocks

If you’re collaborating with a company to scan these types of records, you’ll want to investigate how this company is vetted and understand the policies and procedures they follow.

Compliance Checks To Gauge Your Scanning Partner

Here are some techniques to confirm your scanning partner’s commitment to keeping your records secure. These methods are arranged from the least strenuous to the most comprehensive:


HIPAA Compliant

HIPAA regulations don’t offer a definitive “test” to prove compliance. However, guidelines exist to maintain HIPAA compliance. One way a company can meet HIPAA regulations is through a self-audit. Although self-auditing might seem like grading your own exam, by incorporating other compliance and certification methodologies—such as third-party audits—you can verify that your scanning partner is indeed fulfilling their promises.

Folder with protected health information (PHI)

Annual Internal Security Audit

Another important type of self-audit is an internal security audit. Even alongside third-party audits, an internal audit showcases a company’s dedication to ongoing improvements and a proactive approach towards data protection, both for themselves and their clients.


Third-Party Verification

Of course, internal audits can only go so far. When a company involves an impartial party to investigate its security practices, this lends a high degree of credibility. Examples of third-party verifications include SOC audits and penetration testing.


FBI Criminal Justice Information Services (CJIS) – Listed Vendor

CJIS compliance relates to criminal information. If you’re a law enforcement agency handling criminal files, partnering with a CJIS compliant and listed company is vital.

FBI agent using laptop

NIST SP 800-53 Compliant

NIST SP 800-53 (Security and Privacy Controls for Information Systems and Organizations) comprises recommended security and privacy controls [CT1] for federal information systems and organizations. These recommendations help meet Federal Information Security Management Act (FISMA) requirements.


SOC 2 Type II Audited

SOC 2 Type II ranks among the more rigorous audits a company can pursue, demonstrating a serious dedication to their security posture. When searching for a digital conversion partner, prioritize a SOC 2 audit that focuses on security, availability, and confidentiality.

Process Is Always Important

Not every record contains sensitive information that could potentially be mishandled. However, if it’s your records being scanned—even if they’re public and not confidential—they’re important to you. Therefore, it’s crucial to ensure that all records are handled appropriately.

Check marks on survey form

One key indicator of proper material handling is process adherence. Established processes denote professionalism, systematization, and attention to detail. If you ask a potential scanning partner about their process to scan your records, and they seem to be improvising, it’s not a promising sign for the correct handling of your files. However, if they provide a comprehensive, step-by-step approach about their process and set clear expectations—even without verification—that’s a good sign they’re competent and have the necessary procedures in place to conduct your project effectively.

One Standard To Rule Them All?

Unfortunately, there’s no one rule, guideline, compliance standard, or best practice that encompasses all materials and projects.

It’s crucial that you feel comfortable with the digitization methodology of the partner you choose. Not only should they check certain boxes, but you also need to trust that your records are in safe hands and feel confident about the project.

Ultimately, the responsibility falls on you to conduct the research, ask the questions, and decide which company will scan your records.

Next Steps

Reach out to us today! Click the “Get Your Quote” button below, fill out the form, and we’ll quickly reply to you to discuss your project.

Further Reading

Digitization & The Chain Of Custody
The chain of custody of your records is a critical component during a digital conversion project. Learn what to ask about and how to evaluate a company’s chain of custody methods.

Subcontractors & Digitization Projects
Subcontractors are partners who execute critical digitization tasks, at scale, to help successfully complete projects. Learn about how they’re involved in digital conversion projects and what you can expect.

CMS/HCFA 1500 Claims Form Processing
When healthcare claims aren’t processed properly, it impacts not only the speed of reimbursement for the providers. It can also cause unnecessary stress for everyone involved in the patient’s treatment plans.