I think the hysteria over the "insecurity" of internet email is based on the fact that nobody knows what route a packet of information is going to take going from one email box to another over the internet. It could take a million different routes over the millions of routers and servers on the internet, and the possibility exists that someone could catch the message as it passed through a particular router or server. O have 2 analogies for this. First, consider the "insecurity" of having your keys in your car with the car unlocked (and the ignition turned on, too). Would you believe that it happens millions of times a day, people leave their cars turned on, with the keys in, and the doors unlocked? How very, very unsafe. Of course, most of the times when this happens, the owner is in the car, usually driving. Isn't an internet email in transit like an unlocked car on the highway - someone could take the car, but they'd have to get into it while it was moving. Intercepting an email on the internet is like catching an arrow out of the air; theoretically possible, but really, really unlikely.
Should you encrypt email you send over the internet? You certainly should consider it, but it is not required (I did mention that, didn't I?). Should you encrypt email you send over your intranet, behind your firewall? The risk of outside interception is really small, but to the extent you want to keep internal eyes off of information they don't have a role-based need to access, it might be appropriate. This is the only really good argument I can think of for internet email encryption: keeping the information protected if it is accidentally sent to the wrong email address. Of course, you could just make sure you don't send to the wrong email address; only send out external emails to verified addresses, or as return mail to patients requesting information. Try to convince your patients and trading partners to use simple encryption, but if they won't or can't, and your staff can't spend the time teaching and reteaching it to patients. I don't know if you should bother.
If you don't encrypt ePHI at rest behind your firewall, do you need to encrypt ePHI in transit behind your firewall? Again, the good reason for doing so is if you have a large organization with multiple layers of "need to know" or some other risk factors that militate for protection against the inadvertent disclosure to the wrong in-house party.
More later. I need some Tylenol.