I don't recall there being a requirement to encrypt data within an 'appropriately protected' network. I do recall 128bit encryption being the minimum for external data transfer over open connections (FTP, HTTP or the like). I don't know if the standards have been updated - haven't reexamined them in years. I have a healthcare client and they have no encryption within their SQL Servers (VERY important to not do this for performance concerns) and use HTTPS to present PHI-containing data to their clients via a web interface. EDI and other data load files are sent either using a proprietary file transfer system or PGP-encrypted FTP transfers. Data between the middle tier, web servers and sql servers is not encrypted since all of these reside behind a robust commercial firewall system.