How to Protect Sensitive (HIPAA) SQL Server Standard Data and Log Files
Solution 1:
The general suggestion for HIPAA is to follow the PCI Data Security Standard (PCI-DSS), except everywhere they say "Cardholder Information" or "Account Information" you say "PHI". My company (Healthcare industry, dealing with PHI) uses the PCI-DSS as our primary starting point, along with a healthy dose of common sense (e.g. making sure the data STAYS encrypted (or confined to secure networks) at all times).
Column-level encryption of some kind is almost always a good idea when dealing with sensitive data, and given the potential cost of a lawsuit it's high up there with things to consider.
Solution 2:
You need to protect the PHI which would require that you encrypt the data in the database table. Encrypting the data within the column level if your best bet. Searching on these fields is going to be expensive, but that's the cost of high security.
I talk about a variety of data encryption options in chapter 2 of my book "Securing SQL Server"