Following the recent Tricare breach, our CIO would like us to provide validation that we’ve sufficiently encrypted our company’s customer data. In the event of a breach, we want to avoid making a disclosure in accordance with HIPAA’s breach notification mandate that is necessary when data isn’t sufficiently encrypted. However, it seems like there is some gray area regarding what’s considered sufficient encryption. Can you boil down exactly what HIPAA demands with respect to data encryption, so an enterprise may avoid a breach disclosure?