When a customer is seeking the right choice for a data center that is HIPAA Compliant, there’s an important distinction to keep in mind.

To say that a data center is “HIPAA Compliant” is actually a misnomer. Data Center Compliance is the responsibility of the hosting facility to manage and maintain the infrastructure.

HIPAA Compliance on the other hand is the responsibility of the hosting provider to manage and maintain the infrastructure and logical (medical) data. Systems that reside within the data center are considered to be HIPAA Compliant – not the data center itself.

Data Center Compliance can achieve the certified status of SSAE 16 (Statement on Standards for Attestation Engagements #16) awarded by the American Institute of Certified Public Accountants (AICPA). This is the standard used for auditing organizational service controls.

There are associated reporting categories assigned known as Service Organization Controls (SOC) audits, and these include 1, 2, and 3. These audits are used for the assurance and validation that service controls have been implemented and are functioning properly. 

SOC 1 is used for the auditing of Internal Controls over Financial Reporting (ICFR) focusing on security and availability.

SOC 2 is used to audit the service organization in terms of relevancy for Security, Availability, Processing Integrity, Confidentiality, and Privacy (this is called the Trust Services Principles) – to ensure systems have protection against unauthorized physical/logical access.

SOC 3 is used for the same auditing purposes as SOC 2 and includes auditing in accordance with the Canadian Institute of Chartered Accountants (CICA) Trust Services Principles, Criteria, and Illustrations – to provide a summary Trust Services Report.

Reports are generated upon completion of the auditing process. Each service organization can receive one of two types of SSAE 16 reports: Type 1 or Type 2. Type 1 provides reporting on system sustainability of the organization service control design within a designated timeframe. Type 2 provides reporting on the effectiveness of these service controls over a specified timeframe.

Data Center Compliance is the result of an SSAE 16 Readiness Assessment. This is used to help any service organization meet their reporting requirements. A qualified SSAE 16 auditing firm should be used to complete this daunting task. Service organizations that want to adhere to these reporting requirements would greatly benefit from this assistance in the overall process.