AICPA SOC Certification

SSAE 18 Soc 1, Type II

SSAE 18 Soc 2, Type II

SOC reports consider controls at a service organization relevant to user entities’ internal control over financial reporting.  SOC reports are prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 18, which reports on controls at service organizations like KeyInfo, and are specifically intended to meet the needs of client’s management and their auditors as they evaluate our controls on financial statement assertions. These reports are an important evaluation when clients need to consider financial reporting compliance laws and regulations such as the Sarbanes-Oxley Act. KeyInfo’s independent auditor’s SSAE No. 18 Soc 1, Type 2 Report and SSAE No. 18 SOC 2, Type 2 Report for data center and cloud services was prepared in accordance with the AICPA SSAE No. 18 and IAASB ISAE 3402 Standards. Please contact us for more information.

HIPAA Compliance

A growing number of healthcare organizations and their patients rely on KeyInfo’s KeyCloud services to process, store, and transmit protected health information under the HIPAA compliance guidelines.

KeyInfo enables covered organizations and their business associates subject to the U.S. Health Insurance Portability and Accountability Act (HIPAA) to feel confident with KeyInfo’s Data Center and the KeyCloud environment to process, maintain, and store protected health information within the guidelines of HIPAA and HITECH.

KeyCloud Security - HIPAA

What are HIPAA and HITECH?


The HIPAA Privacy Rule is a set of federal standards to protect the privacy of patients’ medical records and other health information maintained by covered entities including health plans, doctors, hospitals, and other healthcare organizations. To improve the health care system, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, included provisions that required HHS to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security. Congress also recognized that advances in electronic technology could erode the privacy of health information and incorporated provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.


The Office of the National Coordinator for Health Information Technology’s (ONC) work on health IT is authorized by the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The HITECH Act gives the U.S. Department of Health and Human Services (HHS) the authority to establish programs, such as HIPAA, to improve health care quality, safety, and efficiency through the promotion of health IT, including electronic health records (EHRs) and private and secure electronic health information exchange.

Is KeyInfo HIPAA-Certified?

There is no such thing as HIPAA certification for data center or cloud providers. In order to meet the HIPAA requirements applicable to our business to work within the guidelines of our clients who do fall within HIPAA certification requirements, Key Information Systems, Inc. (KeyInfo) has adopted all associated rules that make us compliant under examination within our data center and the cloud services we offer.

Examination findings state that KeyInfo’s information security program has been in place and that the program adopted the essential elements of HIPAA and HITECH (READ THE PRESS RELEASE). The independent auditor issued an opinion based on its examination and tests of controls that determined our description of our information security program was fairly presented and that our program adopted essential elements of HIPAA and HITECH. The resulting report is available to Clients who require it as a part of conducting business with us and includes the independent auditor’s opinion letter, management’s assertion, and testing matrices.

It is important to note that while our security program has been independently evaluated against the HIPAA security rule, no attestation would make Key Information Systems “HIPAA Certified” or even “HIPAA Compliant.” That determination is ultimately up to the covered entities or business associates with which Key Information Systems conducts business.

For more information or to review the examination findings, please contact us.

Compliance - HIPAA