This question is not that easy to answer. The regulation itself doesn't say anything about requiring encryption.
However, there is a safe harbor provision pertaining to your requirement to notify the individuals and the secretary of HHS in case you have a security breach. It basically states that if the information is "unusable, unreadable, or indecipherable to unauthorized individuals", then the covered entity does not have to report the breach. HHS doesn't specify what would qualify in their mind to allow you to apply this safe harbor provision, but they do cite examples:
FIPS 140-2 compliant encryption for data in transit (any kind of electronic transmissions) and NIST 800-111 compliant encryption for resting data (i.e. laptops, PDAs, hard disks etc.).
So, having encrypted disks on portable devices will make you suffer a lot less pain and embarrassment should a device be lost or stolen.
Alternatively you can make sure that none of the data ever leaves your data center. You can achieve that by virtualizing desktops and applications in the datacenter and using secure and high performance delivery protocols. I am planning on releasing some material specifically around this topic, so stay tuned.
twitter: @<a href="http://twitter.com/florianbecker">florianbecker</a>
TechTarget Blog: <a href="http://searchhealthit.techtarget.com/healthitexchange/virtualizationpulse/">Virtualization Pulse</a>
<a href="http://community.citrix.com/p/healthcare-it#home">Ask the Architect - Everything Healthcare</a>
To answer the specific question that was asked, as a business associate under HITECH you need to follow the HIPAA Security Rule safeguard requirements that already apply to you, recognizing that under HITECH you may now be held directly responsible for violating HIPAA, rather than the HIPAA-covered entity or entities with which you have business associate agreement(s) in place. As for encryption, you are not required to implement any data encryption at all if you don't want to/can't make the business case to do so. The incentive is to give yourself an exception from data breach notification rules if your data is compromised; if it's "unusable, unreadable, or otherwise indecipherable" then you don't have to report that it went missing. If you have systems that can't take advantage of encryption technology, then you want to make sure your other security controls (including data handling processes) are as able as possible to prevent PHI from being disclosed without authorization.
One source of guidance on this is the health data breach disclosure rules themselves, available with guidance and instructions from the HHS Health Information Privacy website, at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html