[eluser]Dan Bowling[/eluser]
That's pretty secure, as long as someone doesn't have your salt.
Keep in mind that HIPAA demands more than just encryption too. It matters about who has access to what data, and that there is auditing done. If your organization deals with HIPAA, you should have some sort of a compliance officer that can help walk you through the requirements.