Every SNF administrator I've talked to has at least one survey-week story. The state inspector arrives. They camp out in the conference room. They want documents — not the existence of documents, but the specific documents that close out a specific concern.
Survey weeks aren't pop quizzes about clinical theory. They're a request for receipts. The administrator who has the receipts at hand finishes the survey in two days and goes back to running their facility. The one who has to scrape together a binder finishes in five days, gets a citation for the gap that took three of those days to surface, and starts the year with a corrective action plan they didn't budget for.
VynScan isn't a clinical product. It's a receipts product that happens to sit inside a clinical workflow. Here are the five questions that tend to show up, and what the record needs to look like to answer each one cleanly.
1. "Show me every infection screen you ran in the last 30 days."
The surveyor isn't testing whether you ran screens. They already know you did, or at least they're going to assume you did and ask for proof. What they want is a query result — every test, every resident, every timestamp, every result, every operator, in one list, sortable.
The receipt: a portal export. Filter by date range, click download, hand it over. The export is the same data the device captured at the moment of the test, including the operator who ran it (because they were signed in to the app at the time), the device serial (because the device knows its own serial), and the result the strip itself displayed (because the device read the strip and stored the image). The surveyor doesn't have to take anyone's word for it.
2. "When the August 14 outbreak started, how quickly did you detect it?"
This is the question that turns into a citation if the answer is "we think it was around three days but our paper logs got combined with another resident's chart." Detection latency is measurable in the audit trail — first symptomatic screen of a confirmed cluster, then every subsequent screen sorted by minute.
The receipt: a session-level export filtered to the cluster's date range. The graph almost draws itself. First positive at 7:42 AM on the 14th. Second positive at 11:18 AM. Third at 2:55 PM. By contrast, the prior outbreak the facility lived through (with paper logs) had a 36-hour detection gap that nobody could quite explain because the original lab slip got walked from the building. The audit trail isn't a clinical improvement. It's a written record that you can defend.
3. "Who has access to resident health information, and can you remove someone today?"
HIPAA's least-privilege requirement isn't satisfied by a policy document. It's satisfied by a list of users, their roles, the facilities they can see, the data they can read, and the timestamps of when each of those permissions changed. The surveyor wants to see the list AND see what happens when a user is disabled.
The receipt: the Users tab in the portal. Filter by role. Disable a test account in front of the surveyor; the change shows up in the audit log within seconds. The audit log shows who disabled the account, when, and from what IP address. Re-enable. Disable again. The receipts compound; you can't undo them.
4. "Has any device on this floor been tampered with or accessed by an unauthorized user?"
This is the question that historically required a forensic-style review of paper logs cross-referenced against staff schedules. With every test capture cryptographically associated to a device serial, a user, and a timestamp, the answer is a saved filter.
The receipt: an audit query for the device in question, sorted by time. Each capture has a verification token computed at the moment of the test (patent US 12,308,098 B1 covers the tamper-evident chain of custody). If someone tried to substitute a strip or modify a result after the fact, the token check fails and the row stands out. If nobody did, every row passes — and that's what you hand over.
5. "What happens to this data when our contract with VynMed ends?"
Surveyors are increasingly asking about data retention not because they doubt the facility, but because the facility is the HIPAA covered entity and is responsible for what the Business Associate does. The answer needs to be specific. "It stays in their cloud forever" is wrong. "We'd have to ask" is worse.
The receipt: our Privacy Policy section 5, plus the BAA that names the retention window and the deletion procedure. Audit logs are retained for seven years, exceeding the HIPAA §164.316(b)(2) six-year minimum. Evidence images follow the facility's own retention policy, deleted within 30 days of contract termination unless a longer hold applies. The surveyor wants a written answer that aligns with the facility's own policy; we make sure they get it.
The shape of "defensibility"
I keep using the word defensibility in customer conversations because it captures something that the clinical-value framing doesn't. The clinical value of VynScan is real — faster results, fewer transcription errors, less interpretation drift between readers. But the surveyor doesn't see that on a chart. What they see is whether the facility can produce a clean, queryable, tamper-evident record of what it did, when, and why.
That's the part that turns into "no findings" on the exit interview.