What HIPAA Actually Says About Scanned Charts vs Original Paper
The HIPAA Privacy Rule, Security Rule, and accuracy/integrity requirements that govern when a scanned medical record can stand in for the paper original.
HIPAA does not prohibit digital medical records. It does not require paper either. What it requires is that whatever format the practice uses, the record meets accuracy, integrity, and accessibility standards. Both paper and digital can satisfy those requirements; both can also fail.
This post walks through what HIPAA actually demands when a practice transitions from paper to scanned records.
HIPAA covers protected health information, not format
The HIPAA Privacy Rule covers protected health information (PHI) regardless of the medium it is stored in. The Privacy Rule does not distinguish between paper charts and PDF scans. A patient name on a paper note is PHI; the same name in a scanned PDF is PHI.
The Security Rule, by contrast, applies specifically to electronic PHI. Digitizing a paper record moves it under the Security Rule, which adds technical requirements that did not apply when the record was just paper.
This is the core trade-off of digitization: the record becomes more useful, but new requirements attach.
Accuracy and integrity
HIPAA requires PHI to be accurate and complete. For scanned records, that translates to:
- Pages must be scanned in their entirety. Cropping, partial pages, or missing back-of-page content violates the integrity standard.
- Page order must be preserved. A chart's chronological sequence is part of the clinical record.
- Color or grayscale fidelity matters where it affects clinical interpretation (e.g., handwritten margin notes, highlighted entries).
- Any annotation, signature, stamp, or notation on the paper must be preserved in the scan.
A scanned record that loses information relative to the paper original is not a complete record under HIPAA. Practices that scan can satisfy this standard; practices that "scan and shred without QA" sometimes do not.
When the digital copy becomes the legal record
Once a record has been digitized to a complete and integrity-preserving format, both HIPAA and most state laws permit the practice to designate the digital copy as the legal record and dispose of the paper original. The conditions:
- The digital format must be accessible for the full retention period.
- The format must be readable without dependency on obsolete proprietary software.
- The practice must have backup and disaster recovery sufficient to ensure the record survives.
- Destruction of the paper must follow secure disposal requirements.
Searchable PDFs satisfy these conditions in nearly all common cases. Proprietary CAD-locked formats from old EHR systems often do not.
Access and accounting of disclosures
Patients have the right to access their records under HIPAA's Right of Access provision. The Right of Access applies equally to digital and paper records. The practical difference: digital records are dramatically faster to produce.
Many practices that switched to digital archives report that fulfilling a Right of Access request went from days (pull the paper chart from offsite storage, copy, redact, ship) to minutes (search by patient, export, redact, send).
Security Rule technical safeguards
When records are digital, the Security Rule's technical safeguards apply:
- Access controls: who can open the record.
- Audit controls: who actually opened it and when.
- Integrity controls: detection of unauthorized modification.
- Transmission security: encryption when records cross networks.
- Encryption at rest: increasingly the de facto standard, especially in California.
EHRs and modern practice management systems satisfy these requirements by design. Loose PDFs on a Windows folder share usually do not. A digitization project should land records in a system that already meets these requirements, not into ad-hoc storage.
BAA requirement for scanning vendors
A scanning vendor working with PHI is a HIPAA business associate. The practice must sign a Business Associate Agreement (BAA) with the vendor before any PHI is handled. This requirement is not waived for "we only scan in your office" arrangements. The vendor's staff, equipment, and procedures still touch PHI, and the BAA must be in place.
Practices should be skeptical of any scanning vendor that resists signing a BAA or treats it as optional. The BAA is a baseline indicator that the vendor understands the regulatory environment.
What ArchiveBridge does about this
ArchiveBridge operates under a Business Associate Agreement signed before any PHI is handled. We scan onsite under your roof, run encrypted processing, and wipe temporary processing storage after delivery. Records are delivered into your EHR or office-controlled storage in a format that satisfies HIPAA accuracy, integrity, and accessibility standards.
Request a quote and we will walk through the agreement, the security posture, and the workflow for your specific archive.
More from the blog
California Medical Record Retention: HIPAA + CMIA Requirements for 2026
How long medical practices in California are required to keep patient records, what HIPAA and CMIA each demand, and what changes when records move from paper to scanned.
ComplianceHow Long Do California Dentists Need to Keep Patient Charts?
The actual record retention rules dental practices in California operate under, including the special cases that come up at practice sale, retirement, and Medicare/Medi-Cal participation.
ComplianceClosed Legal File Retention Under ABA Rule 1.6: A California Checklist
What ABA Rule 1.6 and California Rule of Professional Conduct 1.16(e) actually require for retention and disposition of client files, with practical guidance for chart cleanup and digitization.