Over the years, we’ve published several articles explaining what constitutes a breach and the steps to take if one occurs in your practice. Today, we’re focusing on “Safe Harbor” provisions—specifically, when an incident may not be considered a reportable breach.
A key concept in this discussion is FIPS 140-2. FIPS stands for Federal Information Processing Standard, and Publication 140 addresses the encryption of data at rest. The current standard is FIPS 140-2, but organizations are expected to transition to FIPS 140-3–compliant encryption by September of this year. While this may sound technical, your IT professional should understand these requirements and how they apply to your systems.
Under HIPAA, breach notification is only required when unsecured Protected Health Information (PHI) is involved—meaning PHI that is not properly encrypted. If a device is lost or stolen but the data on it is encrypted in accordance with FIPS standards, the information is considered unusable, unreadable, and indecipherable to unauthorized individuals. In those cases, the incident may qualify for Safe Harbor and not be treated as a reportable breach.
One of the first questions we ask clients is: “Are your computer hard drives encrypted?” If the answer is no, we strongly recommend enabling encryption. For organizations using Windows, one common solution is BitLocker, which is included with Windows 11 Professional. When properly configured in FIPS mode, BitLocker can meet FIPS 140-2 requirements.
For this reason, we have historically recommended using Windows 11 Professional, as the Home edition does not include the full BitLocker feature set. However, it’s important to note that BitLocker must be configured in FIPS mode to meet Safe Harbor requirements—standard configurations alone are not sufficient.
There is an important update to be aware of: as of now, Microsoft has not yet validated BitLocker for FIPS 140-3 compliance. Windows 11 continues to rely on FIPS 140-2–validated cryptographic modules. While these are still acceptable today, the lack of 140-3 validation could create a compliance gap if updates are not made before the deadline.
If Microsoft does not complete this validation in time, organizations may find themselves at risk of losing Safe Harbor protection in the event of a data breach involving encrypted devices.
For those using Mac computers, similar precautions apply. Ensure your operating system is current and supported, enable FileVault, and configure the system for FIPS-compliant encryption. This may require installing additional security configuration packages provided by Apple.
Finally, we strongly recommend working with a qualified IT professional to properly configure encryption settings. Before enabling encryption, always back up critical data to prevent loss in case of configuration issues.
If your practice relies on cloud-based software or backups, don’t assume your data is automatically compliant. Ask your vendors to confirm that your data is encrypted and that their encryption methods meet FIPS 140-3 standards.
Taking these steps now can help protect your data—and may prevent a security incident from becoming a reportable breach.
Read Comments