The general suggestion for HIPAA is to follow the PCI Data Security Standard (PCI-DSS), except everywhere they say “Cardholder Information” or “Account Information” you say “PHI”. My company (Healthcare industry, dealing with PHI) uses the PCI-DSS as our primary starting point, along with a healthy dose of common sense (e.g. making sure the data STAYS encrypted (or confined to secure networks) at all times).
Column-level encryption of some kind is almost always a good idea when dealing with sensitive data, and given the potential cost of a lawsuit it’s high up there with things to consider.