[lvh]

The Security Rule and Transmission Control Standard mention encryption, but as Addressable, not Required, if memory serves. That means you have to do it if it's "reasonable and appropriate", and in this context they just mean transport encryption like TLS, not Signal-style actual E2E.

Not that you shouldn't, of course. And you better have an excuse for not doing it (e.g. we don't re-encrypt after the load balancer terminates TLS is a common one). But doctor's offices fax stuff to each other all the time, and that certainly is not encrypted. Perhaps you're thinking of a HITRUST control?

(Minor nit: HIPAA, not HIPPA.)