How often does an SSAE 16 audit have to be performed in order to be good enough for HIPPA compliance

Don Dickinson asked:

I need to find a dedicated hosting service that has (among other things) passed SSAE 16 audit. I found one that had the audit performed between 1/1/2013 and 6/1/2013. Should that be considered current enough? I’m not sure how often that audit must be performed to be considered current. Does anyone know?

My answer:


You should expect a service to have an SSAE 16 audit annually. While this isn’t a strict requirement of the standard, regulatory requirements change, new technology is added to the environment, etc. An out of date report may not be useful.

While we will stop short of calling it an annual “requirement”, customers and other intended users of SSAE 16 Type II reports will come to expect – and demand – such reporting on an annual basis. The “one and done” approach unfortunately does not work in today’s world of growing regulatory compliance mandates.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.