{"id":1815,"date":"2012-03-02T00:00:00","date_gmt":"2012-03-02T00:00:00","guid":{"rendered":"http:\/\/otava.test\/sas-70-not-enough-for-hipaa-compliance\/"},"modified":"2012-03-02T00:00:00","modified_gmt":"2012-03-02T00:00:00","slug":"sas-70-not-enough-for-hipaa-compliance","status":"publish","type":"post","link":"https:\/\/www.otava.com\/blog\/sas-70-not-enough-for-hipaa-compliance\/","title":{"rendered":"SAS 70: Not Enough for HIPAA Compliance"},"content":{"rendered":"

I think the title says it all. Again and again, I come across blogs, press releases, articles, white papers; all types of media spouting the same story: Check your service provider\u2019s SAS 70, Type II report, as that\u2019s a great indicator of whether or not you should host your sensitive patient information in their data centers.<\/em><\/p>\n

Where is the logic in this? Although we have many resources and blog posts about SOC 2<\/a>, SSAE 16<\/a> and other audits\/reports, and what they all really mean, perhaps none explicitly say:<\/p>\n

SAS 70 is not the best measure of a service provider\u2019s ability to provide HIPAA compliant hosting environments (data center facilities) or services.<\/strong><\/p>\n

SAS 70<\/a> is an outdated report on a service provider\u2019s controls as they relate to financial recordkeeping and reporting. It was never meant to be an indicator of data center operational excellence. It\u2019s even outdated as of June 2011, and replaced by SSAE 16.<\/p>\n

What is the real<\/strong> indicator of a HIPAA compliant data center<\/a> operator?<\/p>\n

Ask to see a copy of your data center\u2019s independent HIPAA audit report conducted by a certified practitioner.<\/strong> That\u2019s the only real why you\u2019ll know – if they can actually pass a HIPAA audit with 100% compliance<\/a>.<\/p>\n

So, please, everyone in the data center<\/a>, cloud hosting<\/a>, colocation<\/a> and managed dedicated server<\/a> industry \u2013 stop spreading false and misleading messages for the sake of marketing.<\/p>\n

Here are just a few examples of the confusion I\u2019ve seen around the Web:<\/p>\n

\"SAS<\/a>
SAS 70 and HIPAA Example1<\/figcaption><\/figure>\n
\"SAS<\/a>
SAS 70 and HIPAA Example2<\/figcaption><\/figure>\n

But in more educated and popular hosting forums, there appears to be consensus that SAS 70 is not an indicator of HIPAA compliant data centers (click for larger):<\/p>\n

\"SAS<\/a>
SAS 70 and HIPAA – Forum<\/figcaption><\/figure>\n

The content of any audit report varies from data center to data center, so get educated in order to make informed decisions that could affect your PHI availability and security. Taking chances with serious federal penalties and legal costs isn\u2019t good for any business, and HIPAA\u2019s new audit program<\/a> is ensuring enforcement of any non-compliant covered entities.<\/p>\n

\n

Update:<\/strong> SAS 70 reports only on controls related to financial reporting. If you need assurance of controls directly related to data centers, including privacy, security and availability, look for a SOC 2 report<\/a>.
\nSAS 70 was replaced by SSAE 16 in June 2011.<\/p>\n<\/div>\n

For more resources on SOC, SAS 70 & SSAE 16 audits and reports, try reading:
\nSAS 70, SSAE 16 and SOC Comparison<\/a>
\nData Center Standards Cheat Sheet \u2013 From HIPAA to SOC 2<\/a>
\nA SOC of a Different Color: Critical Differences Between SOC 2 and SOC 1\/SSAE 16<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

I think the title says it all. Again and again, I come across blogs, press releases, articles, white papers; all types of media spouting the same story: Check your service provider\u2019s SAS 70, Type II report, as that\u2019s a great indicator of whether or not you should host your sensitive patient information in their data centers. Where is the logic in this? Although we have many resources and blog posts about SOC 2, SSAE 16 and other audits\/reports, and what they all really mean, perhaps none explicitly say: SAS 70 is not the best measure of a service provider\u2019s ability to provide HIPAA compliant hosting environments (data center facilities) or services. SAS 70 is an outdated report on a service provider\u2019s controls as they relate to financial recordkeeping and reporting. It was never meant to be an indicator of data center operational excellence. It\u2019s even outdated as of June 2011, and replaced by SSAE 16. What is the real indicator of a HIPAA compliant data center operator? Ask to see a copy of your data center\u2019s independent HIPAA audit report conducted by a certified practitioner. That\u2019s the only real why you\u2019ll know – if they can actually pass a HIPAA…<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[],"other_category":[],"class_list":["post-1815","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"acf":[],"yoast_head":"\nSAS 70: Not Enough for HIPAA Compliance | OTAVA<\/title>\n<meta name=\"description\" content=\"SAS 70 is not the best measure of a service provider\u2019s ability to provide HIPAA compliant hosting environments (data center facilities) or services.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.otava.com\/blog\/sas-70-not-enough-for-hipaa-compliance\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SAS 70: Not Enough for HIPAA Compliance\" \/>\n<meta property=\"og:description\" content=\"SAS 70 is not the best measure of a service provider\u2019s ability to provide HIPAA compliant hosting environments (data center facilities) or services.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.otava.com\/blog\/sas-70-not-enough-for-hipaa-compliance\/\" \/>\n<meta property=\"og:site_name\" content=\"OTAVA\" \/>\n<meta property=\"article:published_time\" content=\"2012-03-02T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/SAS-70-and-HIPAA-Example1.png\" \/>\n<meta name=\"author\" content=\"Irma Brillantes\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Irma Brillantes\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.otava.com\/blog\/sas-70-not-enough-for-hipaa-compliance\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/blog\/sas-70-not-enough-for-hipaa-compliance\/\"},\"author\":{\"name\":\"Irma Brillantes\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\"},\"headline\":\"SAS 70: Not Enough for HIPAA Compliance\",\"datePublished\":\"2012-03-02T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.otava.com\/blog\/sas-70-not-enough-for-hipaa-compliance\/\"},\"wordCount\":450,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.otava.com\/blog\/sas-70-not-enough-for-hipaa-compliance\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/SAS-70-and-HIPAA-Example1.png\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.otava.com\/blog\/sas-70-not-enough-for-hipaa-compliance\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.otava.com\/blog\/sas-70-not-enough-for-hipaa-compliance\/\",\"url\":\"https:\/\/www.otava.com\/blog\/sas-70-not-enough-for-hipaa-compliance\/\",\"name\":\"SAS 70: Not Enough for HIPAA Compliance | OTAVA\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.otava.com\/blog\/sas-70-not-enough-for-hipaa-compliance\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.otava.com\/blog\/sas-70-not-enough-for-hipaa-compliance\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/SAS-70-and-HIPAA-Example1.png\",\"datePublished\":\"2012-03-02T00:00:00+00:00\",\"description\":\"SAS 70 is not the best measure of a service provider\u2019s ability to provide HIPAA compliant hosting environments (data center facilities) or services.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.otava.com\/blog\/sas-70-not-enough-for-hipaa-compliance\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.otava.com\/blog\/sas-70-not-enough-for-hipaa-compliance\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.otava.com\/blog\/sas-70-not-enough-for-hipaa-compliance\/#primaryimage\",\"url\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/SAS-70-and-HIPAA-Example1.png\",\"contentUrl\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/SAS-70-and-HIPAA-Example1.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.otava.com\/blog\/sas-70-not-enough-for-hipaa-compliance\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.otava.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"SAS 70: Not Enough for HIPAA Compliance\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.otava.com\/#website\",\"url\":\"https:\/\/www.otava.com\/\",\"name\":\"OTAVA\u00ae\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.otava.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.otava.com\/#organization\",\"name\":\"OTAVA\u00ae\",\"url\":\"https:\/\/www.otava.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"contentUrl\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"caption\":\"OTAVA\u00ae\"},\"image\":{\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\",\"name\":\"Irma Brillantes\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"caption\":\"Irma Brillantes\"},\"url\":\"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"SAS 70: Not Enough for HIPAA Compliance | OTAVA","description":"SAS 70 is not the best measure of a service provider\u2019s ability to provide HIPAA compliant hosting environments (data center facilities) or services.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.otava.com\/blog\/sas-70-not-enough-for-hipaa-compliance\/","og_locale":"en_US","og_type":"article","og_title":"SAS 70: Not Enough for HIPAA Compliance","og_description":"SAS 70 is not the best measure of a service provider\u2019s ability to provide HIPAA compliant hosting environments (data center facilities) or services.","og_url":"https:\/\/www.otava.com\/blog\/sas-70-not-enough-for-hipaa-compliance\/","og_site_name":"OTAVA","article_published_time":"2012-03-02T00:00:00+00:00","og_image":[{"url":"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/SAS-70-and-HIPAA-Example1.png","type":"","width":"","height":""}],"author":"Irma Brillantes","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Irma Brillantes","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.otava.com\/blog\/sas-70-not-enough-for-hipaa-compliance\/#article","isPartOf":{"@id":"https:\/\/www.otava.com\/blog\/sas-70-not-enough-for-hipaa-compliance\/"},"author":{"name":"Irma Brillantes","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263"},"headline":"SAS 70: Not Enough for HIPAA Compliance","datePublished":"2012-03-02T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.otava.com\/blog\/sas-70-not-enough-for-hipaa-compliance\/"},"wordCount":450,"commentCount":0,"publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"image":{"@id":"https:\/\/www.otava.com\/blog\/sas-70-not-enough-for-hipaa-compliance\/#primaryimage"},"thumbnailUrl":"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/SAS-70-and-HIPAA-Example1.png","inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.otava.com\/blog\/sas-70-not-enough-for-hipaa-compliance\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.otava.com\/blog\/sas-70-not-enough-for-hipaa-compliance\/","url":"https:\/\/www.otava.com\/blog\/sas-70-not-enough-for-hipaa-compliance\/","name":"SAS 70: Not Enough for HIPAA Compliance | OTAVA","isPartOf":{"@id":"https:\/\/www.otava.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.otava.com\/blog\/sas-70-not-enough-for-hipaa-compliance\/#primaryimage"},"image":{"@id":"https:\/\/www.otava.com\/blog\/sas-70-not-enough-for-hipaa-compliance\/#primaryimage"},"thumbnailUrl":"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/SAS-70-and-HIPAA-Example1.png","datePublished":"2012-03-02T00:00:00+00:00","description":"SAS 70 is not the best measure of a service provider\u2019s ability to provide HIPAA compliant hosting environments (data center facilities) or services.","breadcrumb":{"@id":"https:\/\/www.otava.com\/blog\/sas-70-not-enough-for-hipaa-compliance\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.otava.com\/blog\/sas-70-not-enough-for-hipaa-compliance\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.otava.com\/blog\/sas-70-not-enough-for-hipaa-compliance\/#primaryimage","url":"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/SAS-70-and-HIPAA-Example1.png","contentUrl":"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/SAS-70-and-HIPAA-Example1.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.otava.com\/blog\/sas-70-not-enough-for-hipaa-compliance\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.otava.com\/"},{"@type":"ListItem","position":2,"name":"SAS 70: Not Enough for HIPAA Compliance"}]},{"@type":"WebSite","@id":"https:\/\/www.otava.com\/#website","url":"https:\/\/www.otava.com\/","name":"OTAVA\u00ae","description":"","publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.otava.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.otava.com\/#organization","name":"OTAVA\u00ae","url":"https:\/\/www.otava.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","contentUrl":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","caption":"OTAVA\u00ae"},"image":{"@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263","name":"Irma Brillantes","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","caption":"Irma Brillantes"},"url":"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/"}]}},"_links":{"self":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/1815","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/comments?post=1815"}],"version-history":[{"count":0,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/1815\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/media?parent=1815"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/categories?post=1815"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/tags?post=1815"},{"taxonomy":"other_category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/other_category?post=1815"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}