Bottom Line
When retrieving and distributing Protected Health Information (PHI), ScanSTAT Technologies strives to go above and beyond “reasonable and appropriate” when implementing administrative, security and physical safeguards. ScanSTAT transmission policies conform to guidelines laid out by the National Institute of Standards and Technology (NIST), specifically NIST 800-53, NIST 800-66 and the NIST Cybersecurity Framework (w/ COBIT maturity model). These guidelines ensure that ScanSTAT has the necessary safeguards in place to comply with the HIPAA Security Rule, the HIPAA Privacy Rule and the HITECH Act.
ScanSTAT securely transmits electronic PHI in three ways: via our proprietary “PRC Virtual Printer”, via secure FTP and via an encrypted email service.
PRC Virtual Printer
The primary software used by ScanSTAT to securely collect medical records is named PRC. This software is a proprietary virtual printer installed on our clients’ systems that allows ScanSTAT to securely upload documents to our internal document management software. ScanSTAT users of PRC are required to authenticate with a secure username and password prior to connecting and uploading data into our document management software. PRC utilizes a standard Public-key cryptography secured HTTPS channel to both encrypt the user authentication process and the transmission of data into our systems. This Public-key cryptography security utilizes a 2048 bit key hashed with SHA256. The PRC application stores no ePHI locally – it only combines, compresses and uploads data to our document management software. This software is hosted in a SAE-16 Type II certified data center.
Secure FTP
In some cases, ScanSTAT will utilize secure FTP for the transfer of data. We utilize an industry standard, enterprise-class FTP software package that is configured to meet all necessary HIPAA and HITECH guidelines. ScanSTAT options for file transfer protocols are SFTP and FTPS, with SFTP being the preferred transfer method. Data transfer and authentication channels are required to utilize a secure encrypted transmission (ScanSTAT can provide or Covered Entity can assign a Public-key cryptography certificate for encryption). Additionally, SFTP connections are rule controlled at our network edge to only allow SFTP connections from designated and approved locations. This FTP server is hosted in a SAE-16 Type II certified Data Center.
Encrypted Email
In some cases, ScanSTAT is requested to send information via encrypted email. We utilize the industry-leading Zix Corp email encryption gateway to transmit ePHI this way when requested. Zix Corp encrypted email ensures that messages are delivered in a secure manner in compliance with HIPAA and HITECH guidelines. This Zix Corp email gateway is hosted in a SAE-16 Type II certified data center