Standards for Data Encryption in SOX / HIPAA in SQL Server 200x
First, Google for HIPAA Compliance
Then read articles like this one: http://www.developer.com/java/ent/article.php/3301011/HIPAA-Security-Rule---What-Software-Developers-Should-Know.htm
And this one http://www.hipaa.ihs.gov/index.cfm?module=compliance_packet
Finally, talk to a lawyer for your company. Inadequate PHI protections will cost your company millions when you lose your claim because your HIPAA compliance strategy is based on the answers on StackOverflow.
source to share
At one company I was at, following credit card security rules, they created a key and then destroyed this hard drive with a sledgehammer so that no one could get the information that went into creating that key.
Although they used an Oracle database, they created their own key to encrypt credit cards.
For HIPAA compliance, I do not trust any encryption performed by the database as it may not have the required security and your company is on the hook for any failures.
It is best to control the key yourself rather than having the key in a database or server.
Have the key to enter when the application or server application starts up, but as Lott pointed out, your legal advisor will need to be involved in the design review to make sure all issues are covered.
source to share
The SQL Server 2008 Cryptographic API is certified for Common Criteria: Common Criteria Certification .
source to share