The HIPAA Security Rule is generally applicable to Medical Practices in the USA which bill insurance electronically (or for whom insurance is billed electronically). Such practices are “Covered Entities” under the HIPAA Regulations. Notably, cosmetic surgeons who do not bill insurance at all are generally NOT Covered Entities, and thus are NOT bound by the specific requirements of the HIPAA Security Rule.
The page on the official HIPAA website, run by the US Department of Health and Human Services, has a page discussing what is and is not a Covered Entity at https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html . There is a tool linked to from that asks the questions that determine whether you are a Covered Entity. I encourage you to go through that tool if there is any question as to whether you are a Covered Entity
To greatly oversimplify, the rule is basically that covered entities must (1) Do an analysis of potential security vulnerabilities, and (2) Decide what to do about each of them. Notably, there is NOT a requirement to implement specific technologies, such as encryption. There are, however, specific requirements for the types of vulnerabilities that must be addressed.
Information directly from the US Government about what is and is not required by the HIPAA Security Rule is available at https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
If anybody tells you that a specific technology must be implemented according to the HIPAA Security Rule, ask them to point to the specific regulation that requires it, on that page or the rules linked to on that page. They will not be able to, because specific technologies are not required under the HIPAA Security Rule.