SAS 70: Not Enough for HIPAA Compliance

Posted 3.2.12 by

I think the title says it all. Again and again, I come across blogs, press releases, articles, white papers; all types of media spouting the same story: Check your service provider’s SAS 70, Type II report, as that’s a great indicator of whether or not you should host your sensitive patient information in their data centers.

Where is the logic in this? Although we have many resources and blog posts about SOC 2, SSAE 16 and other audits/reports, and what they all really mean, perhaps none explicitly say:

SAS 70 is not the best measure of a service provider’s ability to provide HIPAA compliant hosting environments (data center facilities) or services.

SAS 70 is an outdated report on a service provider’s controls as they relate to financial recordkeeping and reporting. It was never meant to be an indicator of data center operational excellence. It’s even outdated as of June 2011, and replaced by SSAE 16.

What is the real indicator of a HIPAA compliant data center operator?

Ask to see a copy of your data center’s independent HIPAA audit report conducted by a certified practitioner. That’s the only real why you’ll know – if they can actually pass a HIPAA audit with 100% compliance.

So, please, everyone in the data center, cloud hosting, colocation and managed dedicated server industry – stop spreading false and misleading messages for the sake of marketing.

Here are just a few examples of the confusion I’ve seen around the Web:

SAS 70 and HIPAA Example1

SAS 70 and HIPAA Example1

SAS 70 and HIPAA Example2

SAS 70 and HIPAA Example2

But in more educated and popular hosting forums, there appears to be consensus that SAS 70 is not an indicator of HIPAA compliant data centers (click for larger):

SAS 70 and HIPAA - Forum

SAS 70 and HIPAA – Forum

The content of any audit report varies from data center to data center, so get educated in order to make informed decisions that could affect your PHI availability and security. Taking chances with serious federal penalties and legal costs isn’t good for any business, and HIPAA’s new audit program is ensuring enforcement of any non-compliant covered entities.

Update: SAS 70 reports only on controls related to financial reporting. If you need assurance of controls directly related to data centers, including privacy, security and availability, look for a SOC 2 report.
SAS 70 was replaced by SSAE 16 in June 2011.

For more resources on SOC, SAS 70 & SSAE 16 audits and reports, try reading:
SAS 70, SSAE 16 and SOC Comparison
Data Center Standards Cheat Sheet – From HIPAA to SOC 2
A SOC of a Different Color: Critical Differences Between SOC 2 and SOC 1/SSAE 16

About Otava

Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.

Get in touch with an Otava Rep today – just provide us with a bit of information below to get started and we’ll reach out to you shortly!