There's a lot of assumptions about what HIPAA states when it comes to encryption, be it over the wire, files, whatever. The fact is that HIPAA makes absolutely no requirements for encryption*, just that if there's reasonable risk, it must have encryption. What kind of encryption? What sort of strength? It does not specify*.
So to break it down:
- Does HIPAA require encryption? No, unless there's a reasonable risk something could be read, as in over a network or what have you
- What sort of encryption does HIPAA require? Essentially anything.
My suggestions though are:
- You should use encryption in as many places as possible, especially if devices are storing information, almost all HIPAA data violations come from people losing laptops or whatever and the drives aren't encrypted. You can use something like TrueCrypt or even Windows EFS.
- I suggest PGP since it's so widely implemented and available, and SSL for networks, etc since again, implementation is widely available. Where not available you can tunnel over things such as encrypted VPN connections as well.
* Source: HIPAA 45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii).
By the way: IANAL/TINLA