Compliance Audit Cheat Sheet: Does your HIPAA have a SOC 2?

Posted on July 29, 2014 by April Sage

 

Wondering where all these standards come from and what they all mean? Here’s a guide to some common data center audits and reports.

compliance

Safe Harbor
What is the U.S.-EU Safe Harbor Law? The U.S.-European Union Safe Harbor Program is a streamlined process for US companies to comply with the EU Data Protection Directive of 1998 on maintaining the privacy and integrity of personal data. Different from HIPAA, PCI and SOX compliance requirements, the Safe Harbor program framework was developed by the U.S. Department of Commerce in 2000 in consultation with the European Commission on Data Protection.

Recommended Reading:
Safe Harbor Compliant Hosting
US - EU Safe Harbor Program

SAS 70
The Statement on Auditing Standard No. 70 was the original audit to measure a data center’s financial reporting and recordkeeping controls. Developed by the AICPA (American Institute of CPAs, there two types:

  • Type 1 – Reports on a company's description of their operational controls
  • Type 2 – Reports on an auditor's opinion on how effective these controls are over a specified period of time (six months)

SSAE 16
The Statement on Standards for Attestation Engagements No. 16 replaced SAS 70 in June 2011. A SSAE 16 audit measures the controls relevant to financial reporting.

  • Type 1 – A data center’s description and assertion of controls, as reported by the company.
  • Type 2 – Auditors test the accuracy of the controls and the implementation and effectiveness of controls over a specified period of time.

SOC 1
The first of three new Service Organization Controls reports developed by the AICPA, this report measures the controls of a data center as relevant to financial reporting. It is essentially the same as a SSAE 16 audit.

SOC 2
This report and audit is completely different from the previous. SOC 2 measures controls specifically related to IT and data center service providers. The five controls are security, availability, processing integrity (ensuring system accuracy, completion and authorization), confidentiality and privacy. There are two types:

  • Type 1 – A data center’s system and suitability of its design of controls, as reported by the company.
  • Type 2 – Includes everything in Type 1, with the addition of verification of an auditor's opinion on the operating effectiveness of the controls.

SOC 3
This report includes the auditor’s opinion of SOC 2 components with an additional seal of approval to be used on websites and other documents. The report is less detailed and technical than a SOC 2 report.

Recommended Reading:
A SOC of A Different Color: Critical Differences Between SOC 2 and SOC 1/SSAE 16
What’s the Difference Between SAS 70, SSAE 16 and SOC?

HIPAA
Mandated by the U.S. Health and Human Services Dept., the Health Insurance Portability and Accountability Act of 1996 specifies laws to secure protected health information (PHI), or patient health data (medical records). When it comes to data centers, a hosting provider needs to meet HIPAA compliance in order to ensure sensitive patient information is protected. A HIPAA audit conducted by an independent auditor against the OCR HIPAA Audit Protocol can provide a documented report to prove a business associate providing services to healthcare providers has the proper policies and procedures in place to protect patient data. No other audit or report can provide evidence of full HIPAA compliance.

Recommended Reading:
HIPAA Compliant Hosting White Paper (Complete list of technical, physical and administrative hosting requirements).
Five Questions to Ask Your HIPAA Hosting Provider
Encrypting Data to Meet HIPAA Compliance

Watch webinar: HIPAA, HITECH & the Law

PCI DSS
The Payment Card Industry Data Security Standard was created by the major credit card issuers, and applies to companies that accept, store process and transmit credit cardholder data. When it comes to data center operators, they should prove they have a PCI compliant environment with an independent audit. They should also know what services can help your company fulfill the 12 PCI requirements.

Recommended Reading:
PCI Compliant Hosting White Paper (Complete list of technical, physical and administrative hosting requirements).
PCI Compliance and Virtualization: New Recommendations
Guide to Becoming PCI Compliant: Build and Maintain a Secure Network
Guide to Becoming PCI Compliant: Protect Cardholder Data

Watch webinar: PCI Guidance for the Cloud

What questions do you have about audits? Leave a comment below and we'll answer it in a future post.

This entry was posted in Audits

Follow Us

White Papers

View a list of our white papers:

Want to stay informed on all things Online Tech?

Sign up to receive compliant and secure hosting resources now!

View our Privacy Policy.

Informative Videos

Data Center Carbon Footprint

Data Center Industry Lowers Carbon Footprint: Watch Video»

 Mobile Data Centers

Mobile Data Centers:
Watch Video »

 Private Cloud

Switch to the Private Cloud:
Watch Video »

Categories

About Online Tech

Online Tech is the leader in secure, compliant hosting services including private cloud hosting, managed cloud hosting, hybrid cloud hosting, managed dedicated servers, disaster recovery, offsite backup services, and Michigan colocation.

Online Tech’s Midwest data centers assure mission critical applications are always available, comply with government & industry regulations, and continue operating after a disaster.

Backed by independent HIPAA, PCI, SAS 70, SSAE 16, SOC 2, and SOC 3 audits, Online Tech delivers the security, privacy, and availability expected from world class data center operators.

For more information, call (734) 213-2020 or email contactus@onlinetech.com.