Hipaa is about as confusing as things can get. Things you must do. Things you should do but are not explicitly required to do. Things you really want to do but don't really need to... Encryption falls into a gray area between these things. You must decide if it is required.
Lets get some definitions out of the way
Data at rest: Data at rest is all the data/PHI you have sitting on your computers, servers, or mobile devices.
Data in motion/transit: this is data that is actively being transmitted over the internet, moved on thumb drives, or copied to CD.
Encryption: Encryption is the process of hiding this information behind a key or password.
OK, so encryption is not strictly required(http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2001.html) but it does fall into the area of something that must be dealt with. it is an addressable implementation specifications. AWESOME, everyone knows what that is right? Well basically it is something that you must decide wether or not to implement it(http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2020.html).
There are guide lines to follow... You the business entity must decide if encryption is a reasonable and appropriate security measure. Then document your choice and the reasons why you chose that way. Then if you decided to encrypt everything, or some stuff, you must implement it or perform an equivalent security practice.
Give us a call if you ned more information.