Bottom Line

“Assign a unique name and/or number for identifying and tracking user identity” — HHS HIPAA Security Rules, Section 164.312(a)(2)(i). Seems simple enough, right? This document explains how ScanSTAT services fulfill this obligation on your behalf and explains the steps we take to comply with this regulation. The goal of this FAQ, as always, is to allow you to transfer more of the burden to ScanSTAT.

The Issue

This regulation can cause headaches for any healthcare organization’s administrator. Every time there is staff turnover new credentials must be created, employees need to be trained to access the electronic protected health information (PHI) and proper permissions established. ScanSTAT uses remote technology, creating a virtual workspace through which our employees operate and are monitored. The proprietary ScanSTAT system allows our company to avoid being handcuffed by the logistics of having on-site personnel. Thus, ScanSTAT is able to completely remove the problems related to staff turnover that happens at our clients’ organizations.

And our clients do not feel the burden of turnover at ScanSTAT. Our staff is trained and mentored through an extensive 90-day boot camp. The majority of ScanSTAT turnover occurs within this first 90-day period. This approach allows us to maintain our turnover problems as our own! Nonetheless, as does any rapidly growing organization, ScanSTAT still incurs natural attrition.

How We Comply

Having multiple users working under the same credentials in an EHR sounds like the worst nightmare of any Compliance Office and IT Department. Section 164.308 of the HHS HIPAA Security Rules focuses on implementing technological safeguards, consistent auditing of users and most importantly in this case — “…procedures to regularly review records of information system activity…” At no point do the regulations restrict the tools by which a unique identifier is assigned or monitored. Meaning, that despite popular belief, organizations are not required to do this within the EHR.

Our medical records experts log in through the ScanSTAT virtual environment and monitoring system before connecting to their assigned client. It is here, within this virtual environment, that ScanSTAT proprietary software tracks, catalogs and reports on all activity completed by each individual ScanSTAT employee. This environment which connects our team to their assigned client is also where our Compliance Officer is able to pull all necessary information for an accounting of disclosure if requested. ScanSTAT maintains our position of constant service and compliance and knows which employee is in the client system, at what time and which records were accessed.


ScanSTAT is constantly prepared for any accounting of disclosure requests and we welcome any and all questions regarding our policies. We are experts in compliance and strive to educate our clients on how to improve the performance of their organization while minimizing risk. Our goal is to combine superior service and industry-leading HIPAA education to our clients.

In summary, we invite you to allow ScanSTAT to bear the burden of maintaining the unique identifier so you don’t have to. ScanSTAT service is here to remove these kinds of headaches from every level of our clients’ organizations. However, if your security policies and officers insist that you establish a unique identifier for all ScanSTAT staff with each incident of turnover, we will certainly comply with your request.