Internal e-mail should not have to be encrypted, as long as no risks to those e-mails are found during a risk assessment. Keep in mind that if e-mails will be traversing wireless networks (or any other similarly risky system) where vulnerabilities are turned up during a risk assessment, encryption may be required. Similarly, the final HIPAA Security Rule now considers external (Internet, etc.) e-mail encryption as "addressable" and leaves it up to the covered entity to determine whether or not specific risks (found during a risk assessment) would require those e-mails to be encrypted. Bottom line: If risks are found, encryption will be required.
For some specific sample policies/guidelines on e-mail security, check out the ones on the SANS site at http://www.sans.org/resources/policies.
For more information on this topic, visit these other SearchSecurity.com resources:
This was first published in March 2003