First, it is not the lines, it is the packets that must be encrypted. And, like anything else, it either is or it isn't. Our signaling is SIP based and is secured using TLS. The other packets used are the actual voice packets which generally use RTP. We use sRTP, which is the secure form.
This is where hosted VoIP (hosted by professionals and can monitor your setup 24/7 and know what the hell they are doing if they are capable of knowing what the hell they are doing) comes in handy. Most people are not capable of setting up a secure VoIP solution with QOS and proper VLANs or separte connections to the outside world. While you can run VoIP on the same subnet as your network (each phone being 192.168.1.x similar to your subnet of your network 192.168.1.x) you would be silly to do this.
This is where your research comes in. You want to ask your provider where the QOS is (at their end or in your switch), will they help design your networks, will they provide their own Internet connection (we got lucky and got it for free) and so on.
Remember, the good thing about VoIP is it can do SOOOOO many things that a regular, digital phone system over POTS lines can do. The downside is there are so many things it can be overwhelming. This is where paying for a hosted solution is beneficial. And, you stil basically break even once the phones are purchased. Remember, VoIP such as this, you pay for the "seat" not the line. So, 6 phones, you pay each month for 6 phones depending on the package for each.
As to the HIPAA, who cares. It is 100 times more likely that three people in your waiting room now knows that Patient A has scabies because your receptionist stated it, than for a hacker to intercept your phone call.
I remember a great quote from an extremely good networking person:
Is there someone out there that can hack into your network? Definitely
Is there someone out there that wants to hack into your network?
Doubtful.
No one but you is going to care whether your VoIP is HIPAA compliant or not.
