Secure records come in many variations: criminal records on microfilm rolls, health information on patient charts, and personally identifiable information on finance documents, to name a few. If you want to reduce your hard copy load, you’ll want to scan the files into an electronic format. But who can you trust to keep your records safe while they’re out of your hands? 

The final decision to choose a scanning partner to digitally convert your secure records is completely up to you, and you have to feel comfortable with who you work with. Below we describe what secure scanning is, what kinds of records are considered sensitive, methods to physically and digitally protect your records, and a sample set of credentials you can look for when you’re choosing your scanning partner.

What Is “Secure Scanning?”

Simply put, secure scanning is the method by which you keep your records and data safe and prevent them from getting into the wrong hands during the digital conversion process. 

Although every record is treated as confidential to our respective client, not all scanning is the same, and not all records are created equal. There are varying degrees of security depending on the type of material being scanned and the level of security desired by our client, regardless of the record types.

Security can also be separated into physical and digital categories: just because there’s a lock on the front door (physical), that doesn’t mean that the electronic data is being transmitted and stored properly (digital). It’s important to consider both types of security when you’re researching scanning partners. 

Which Kinds Of Records Need Secure Scanning?

As we mentioned above, all records should be scanned in a secure way, although different types of records may be handled in a distinct manner based on regulations, policies, and so on. Below are some of the various types of records and the differences required for conversion.

Private Data

Private data is information that may not be so secure as to be labeled “confidential,” but it’s still information that’s private to you. Another way to look at it is that it’s information that might be available to other people on request, but it’s not publicly available like a newspaper. 

Examples include customer invoices, building plans, and financial records. These are all record types that aren’t so sensitive that they fall into guidelines like HIPAA, but they’re important to you and need to be protected. 

To keep these records secure, your scanning partner should have a physically secure facility that requires identification prior to entry and a production/scanning area that keeps visitors from being able to wander around without an escort. On the digital side, only authorized personnel should have access to your records and only for the purposes of completing the project.

Healthcare Data

Healthcare data includes PHI (protected health information) and ePHI (electronic protected health information), and this type of record has numerous restrictions to ensure it’s secure. The HIPAA guidelines (Health Insurance Portability and Availability Act) are critical when dealing with health records and it provides guidance on the information flow of healthcare data. 

Some of the methods to ensure security of healthcare data is to choose a partner that completes HIPAA audits, trains their employees on HIPAA practices and how to handle PHI/ePHI, and has secure scanning facilities for production and storage of your records. Digitally, encrypted storage and transmission of data is critical in case of a security lapse, and only assigning access to the minimum number of individuals to a project to limit exposure.

Criminal Justice Information (CJI)

Criminal records are processed in a very specific way when we’re chosen as your scanning partner. Although you’re not required to adhere to the Criminal Justice Information Services  (CJIS) Security Policy, we decided as a company to process criminal justice information (CJI) following the policy guidelines. This decision allows law enforcement agencies and any other department with criminal records looking to have access to the CJIS database to partner with a vendor that complies with the Security Policy. 

There are many protocols that must be followed to be compliant with the CJIS Security Policy, such as access control, media protection, physical protection, personnel security, and training, to name a few. Instead of going into detail here, we recommend that you read our in-depth article about “CJIS Digital Scanning” to understand the processes and how we handle these records. 

What Are The Different Ways To Keep Records Safe?

The two methods of securing records before, during, and after a digital conversion project are by physically protecting them and digitally protecting them. Since there are innumerable ways to protect records and data, we’ll describe some of the methods we use to give you an idea of what goes on when you start a digital conversion project.

Physical security

Physical security measures are the means to keep your hard copy records safe while we have them during a project. Because of the sensitive nature of some of the records we work with, it’s not enough to just have a room full of scanning machines with our people chugging along. Safeguards and procedures to segregate certain types of documents add a level of protection.

Our facilities have 24/7 exterior and interior camera monitoring to provide visibility at all access points to our buildings.

To enter our buildings, employees have a personalized pin code and an ID card/key fob. Without both, you can’t get in. This is important because a pin code by itself could be entered, or an ID card could be stolen – but if you don’t have both, you’re not getting into our sites.

Visitors require a BMI escort when they leave the public lobby area.

Once inside our buildings, there are additional layers of physical protection: lobby/public spaces are segregated from the production areas by a key card access point so that visitors or those without permission can’t get into areas with project material. On top of that, certain areas of our building are restricted to designated personnel on a project basis or their individual level of clearance. In other words, for highly sensitive projects, even some of our own people can’t get into areas where the project material is stored.

The entire production area is segregated from the public lobby, and within that area there are two more spaces for specific material. One is the “secure materials” area, which allows us to keep sensitive or confidential materials separate from non-restricted documents, and the other is our on-site vault.

The key takeaway from this section is that our facilities are like onions – there are multiple layers of protection to keep your records safe.

Onion sliced in half

Digital security

Digital security measures are how we protect your records once they’re in an electronic form. This covers all aspects of the digitization process including scanning, processing, delivery, and storage.

Our people are assigned to projects based on the scope of work and what’s needed. We don’t allow the entire organization to access your materials – only those that are necessary to get the work done. This limits the exposure of your records, even within our company.

After we’ve scanned your materials, they’re stored in our Digital Vault on encrypted drives using 256 AES.

Once we’ve finished your project and are ready to send it to you, two options available are to receive a USB drive or use an SFTP (secure file transfer protocol, basically an electronic delivery). Whichever you choose, we’ll use encryption to further secure your files while they get to you so that only a designated individual of your choosing can decrypt using a password.

We use third-party sources to test our network and systems through penetration testing, ensuring that our in-house software and IT teams are keeping our platforms secure.

For clients using our Digital ReeL hosted application, data is stored at two sites to allow for backup disaster recovery. Access to the application requires a username and password, and can include IP filter locking (limiting access to physical locations) and two-factor authentication (2FA) to prevent unauthorized access even if your login credentials are compromised.

Global digital connection lines

What Kinds Of Credentials Should A Company Have?

The company you choose to work with should have the credentials and certifications that make you comfortable. Each company you take a look at will handle their processes in a distinct way, and most likely none of them will be 100% perfect. By taking a well-rounded approach and considering the options available to you, you should be able to weigh the most important factors to you when it comes to scanning your sensitive records and choose the partner that you feel is the most competent. 

There are probably hundreds of credentials and certifications available when it comes to secure scanning, processing, and handling – with the availability of online courses, almost every topic can be granular. A quick web search for “online certifications for secure digital processing” shows you that there are plenty of super-specific courses and certifications – these are great, but it might be going a bridge too far to ask your scanning partner to get into this level of detail. Most scanning companies are looking at higher-level compliance because it applies to the organization as a whole.

Some security credentials that we have include:

A third party evaluated the operating effectiveness of controls related to our image conversion services system and provided a report on the description of our system and on the suitability of the design of our controls relevant to security, availability, and confidentiality.

We’re a CJIS-listed vendor following the protocols of the FBI CJIS Security Policy.

The National Institute of Standards and Technology Special Publication 800-53 “provides a catalog of security and privacy controls for federal information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks.” (NIST SP 8000-53 Rev. 5)

HIPAA guidelines are updated on a regular basis, and we self-audit to ensure we’re complying with the current guidelines.

In addition to third-party audits or assessments, we conduct our own security audit that covers are facility security, network and production security, admin and personnel process, and so on. This is provided to customer on request.

Audit steps on chalkboard

Next Steps

When you have sensitive or confidential records, it’s normal to feel concerned about who’s handling them and how they’ll be scanned. We can’t force you to trust us with your documents, but we’re ready to speak with you and answer your questions. 

Give us a call at 800.359.3466 or send an email to info@bmiimaging.com to chat with one of our reps and see if we’re a fit for each other.

Further Reading

Read other posts related to security and digital conversion, starting with three recommendations below:

“Security” is an information page completely related to our security processes, procedures, and methods. 

“CJIS Digital Scanning” is our overview of how to scan criminal justice information (CJI) for law enforcement agencies. If your office is handling and processing CJI, this is a starting point for you to understand what CJIS means and why it’s important to you. 

“HIPAA Compliance & Document Conversion” relates to health records, which are rife with sensitive information. Read up on compliance and why digitizing your hard copy records can be a step in the right direction for your company.