Patients of a large healthcare provider were recently shocked to find out their medical records were thrown in a dumpster instead of being shredded. Confidential information such as social security numbers and patient names were not secure and private information was easily accessible to anyone walking by the dumpster. The healthcare provider had mandated that its vendor shred all medical records before they are thrown out, but may not have requested proof. So how do you make sure what you are being told is actually being done by an outsourcing company that will be handling your documents?
Find a Partner You Can Trust
Before working with a document scanning company, there are a number of questions you should ask as part of your due diligence. Here are some key things to find out:
- Does the company have a current SOC 2 Type 2 report?*
- Does the company have a Better Business Bureau (BBB) rating and is it positive?
- Are the company’s processes documented and available to review?
- Can you tour the facility to see their process in action?
- Is the staff HIPAA compliance trained?
* A SOC 2 Type 2 report is based upon an objective audit by an independent CPA of controls that are documented, implemented and audited throughout the entire document scanning process and system having to do with the security of your documents and data.
Ensure Shredding is Backed by NAID
If your document scanning company will be shredding your documents after they have been digitized, make sure they use a NAID-certified* shredding company and request the following:
- Require the document scanning company to provide you with a certificate of destruction from the NAID-certified company each time your documents are shredded.
- Request proof that a NAID-certified shredding company is shredding the documents. One way to confirm this is by asking to see an invoice.
* The National Association for Information Destruction (NAID) offers a certification program to its member companies. Certification companies must use a secure paper destruction process to ensure shredded documents cannot be reconstructed.
Trust is an important factor in any business relationship but verification is just as important. Trust and verify before you chose a document scanning partner.