The main thing for HIPAA compliance is documentation. Do a risk assessment and document what you are doing to protect the data. Encrypt anytime it goes outside your network, then do a risk assessment of your network to determine if you need internal encryption. I have many web/sql apps. We have a hardware firewall and IDS. Becasue of our firewall, I don't expose our data to the Internet. On the web server I have SSL to encrypt. In IIS, I limit the IP space that can communicate to the box. Our server room routers have access rules that only allow the web box and a few other IP's to directly connect to the SQL box. All clients connecting to SQL must use an AD account that follows our hardening requirements (length, special character, history...) I encrypt SSN on the backend, but that is it.