03-02-12 | Blog Post

SAS 70: Not Enough for HIPAA Compliance

Blog Posts

I think the title says it all. Again and again, I come across blogs, press releases, articles, white papers; all types of media spouting the same story: Check your service provider’s SAS 70, Type II report, as that’s a great indicator of whether or not you should host your sensitive patient information in their data centers.

Where is the logic in this? Although we have many resources and blog posts about SOC 2, SSAE 16 and other audits/reports, and what they all really mean, perhaps none explicitly say:

SAS 70 is not the best measure of a service provider’s ability to provide HIPAA compliant hosting environments (data center facilities) or services.

SAS 70 is an outdated report on a service provider’s controls as they relate to financial recordkeeping and reporting. It was never meant to be an indicator of data center operational excellence. It’s even outdated as of June 2011, and replaced by SSAE 16.

What is the real indicator of a HIPAA compliant data center operator?

Ask to see a copy of your data center’s independent HIPAA audit report conducted by a certified practitioner. That’s the only real why you’ll know – if they can actually pass a HIPAA audit with 100% compliance.

So, please, everyone in the data center, cloud hosting, colocation and managed dedicated server industry – stop spreading false and misleading messages for the sake of marketing.

Here are just a few examples of the confusion I’ve seen around the Web:

SAS 70 and HIPAA Example1
SAS 70 and HIPAA Example1
SAS 70 and HIPAA Example2
SAS 70 and HIPAA Example2

But in more educated and popular hosting forums, there appears to be consensus that SAS 70 is not an indicator of HIPAA compliant data centers (click for larger):

SAS 70 and HIPAA - Forum
SAS 70 and HIPAA – Forum

The content of any audit report varies from data center to data center, so get educated in order to make informed decisions that could affect your PHI availability and security. Taking chances with serious federal penalties and legal costs isn’t good for any business, and HIPAA’s new audit program is ensuring enforcement of any non-compliant covered entities.

Update: SAS 70 reports only on controls related to financial reporting. If you need assurance of controls directly related to data centers, including privacy, security and availability, look for a SOC 2 report.
SAS 70 was replaced by SSAE 16 in June 2011.

For more resources on SOC, SAS 70 & SSAE 16 audits and reports, try reading:
SAS 70, SSAE 16 and SOC Comparison
Data Center Standards Cheat Sheet – From HIPAA to SOC 2
A SOC of a Different Color: Critical Differences Between SOC 2 and SOC 1/SSAE 16

Overwhelmed by cloud chaos?
We’re cloud experts, so you don’t have to be.

© 2024 OTAVA® All Rights Reserved