04-11-19 | References

Data Center Standards Cheat Sheet – From HIPAA to SOC 2



Mandated by the U.S. Health and Human Services Dept., the Health Insurance Portability and Accountability Act of 1996 specifies laws to secure protected health information (PHI), or patient health data (medical records). When it comes to data centers, a hosting provider needs to meet HIPAA compliance in order to ensure sensitive patient information is protected. A HIPAA audit conducted by an independent auditor against the OCR HIPAA Audit Protocol can provide a documented report to prove a data center operator has the proper policies and procedures in place to provide HIPAA hosting solutions.

No other audit or report can provide evidence of full HIPAA compliance.


The Payment Card Industry Data Security Standard was created by the major credit card issuers, and applies to companies that accept, store process and transmit credit cardholder data. When it comes to data center operators, they should prove they have a PCI compliant environment with an independent audit. They should also know what services can help your company fulfill the 12 PCI requirements.

SAS 70

The Statement on Auditing Standard No. 70 was the original audit to measure a data center’s financial reporting and record keeping controls. Developed by the AICPA (American Institute of CPAs, there two types:

  • Type 1 – Reports on a company’s description of their operational controls
  • Type 2 – Reports on an auditor’s opinion on how effective these controls are over a specified period of time (six months)


The Statement on Standards for Attestation Engagements No. 16 replaced SAS 70 in June 2011. A SSAE 16 audit measures the controls relevant to financial reporting.

  • Type 1 – A data center’s description and assertion of controls, as reported by the company.
  • Type 2 – Auditors test the accuracy of the controls and the implementation and effectiveness of controls over a specified period of time.


The first of three new Service Organization Controls reports developed by the AICPA, this report measures the controls of a data center as relevant to financial reporting. It is essentially the same as a SSAE 16 audit.


This report and audit is completely different from the previous. SOC 2 measures controls specifically related to IT and data center service providers. The five controls are security, availability, processing integrity (ensuring system accuracy, completion and authorization), confidentiality and privacy. There are two types:

  • Type 1 – A data center’s system and suitability of its design of controls, as reported by the company.
  • Type 2 – Includes everything in Type 1, with the addition of verification of an auditor’s opinion on the operating effectiveness of the controls.


This report includes the auditor’s opinion of SOC 2 components with an additional seal of approval to be used on websites and other documents. The report is less detailed and technical than a SOC 2 report.

EU-U.S. Privacy Shield

What is the EU-U.S. Privacy Shield? Privacy Shield replaces Safe Harbor as the new law maintaining the privacy and integrity of personal data. Different from HIPAA, PCI and SOX compliance requirements, Privacy Shield was developed by the U.S. Department of Commerce along with the European Commission on Data Protection.

Let’s Get In Touch

Ready to get started with compliant hosting? Otava can help. Our locations are independently audited against all of the above standards and more to ensure organizations’ data is secure and protected. Choose from cloud, disaster recovery, colocation or data protection solutions and rest assured your most valuable asset is in safe hands. Simply click the button below to contact us and get started with compliant cloud today.

Recommended Reading

How does Safe Harbor compare to the EU-US Privacy Shield? After Safe Harbor, the international data transfer law used by the U.S. and the European Union, was invalidated in October 2015, the Department of Commerce and the EU Commission worked to draft a new agreement…(Keep Reading)

Achieving Compliance in a Hybrid Cloud: According to the 2019 Rightscale® State of the Cloud report, the number of enterprises with a hybrid cloud strategy (one that combines both public and private clouds) grew to 58 percent for 2019, up from 51 percent… (Keep Reading)

What is a SOC 2 Report? Introduced in 2011, Service Organization Control (SOC) reports are becoming more and more popular in data security and compliance discussions with every passing year, especially SOC 2. But what is a SOC report? Which one do you need? Why is a SOC 2 report so important? (Keep Reading)

What is a HIPAA Violation? There are all kinds of HIPAA violation cases out there – whether they violate the security, administrative or technical safeguards, data breaches often occur within certain parameters, as can be seen from research of the HHS reported… (Keep reading)

SSAE 18 vs SSAE 16: Key differences in the new SOC 1 standard: The AICPA has replaced the audit standard known as SSAE 16with a new standard effective for report dates on or after May 1, 2017. This new standard, known as SSAE 18, is designed to address and clarify concerns… (Keep Reading)

About Otava

Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.


Overwhelmed by cloud chaos?
We’re cloud experts, so you don’t have to be.

© 2024 OTAVA® All Rights Reserved