I'm using Ruby on Rails 4.2 with mySql for my HIPAA Compliance application and I need to know the technical database requirements for this application.

do we really need to encrypt all the database values such as patient name etc?

Yes You have to encrypt all the details(name, email, phone, address) related to patient and doctors if you want your Rails application to be HIPAA Compliance.

Here below 2 Ruby gems are very helpful for you.

attr_encrypted: https://github.com/shuber/attr_encrypted

paper_trail: https://github.com/airblade/paper_trail

HIPAA is an unusual law in that it makes a lot of recommendations (addressable items) and a few assertions (required items), but in the end it is up to each organization to determine for themselves what they need to do to be compliant.This creates a great deal of flexibility and also a great deal of uncertainty. In general, to be HIPAA-compliant, a web site must at a minimum ensure that all protected health information (ePHI) below:

Transport Encryption: Is always encrypted as it is transmitted over the Internet

Backup: Is never lost, i.e. should be backed up and can be recovered

Authorization: Is only accessible by authorized personnel using unique, audited access controls

Integrity: Is not tampered with or altered

Storage Encryption: Should be encrypted when it is being stored or archived

Disposal: Can be permanently disposed of when no longer needed

Omnibus/HITECH: Is located on the web servers of a company with whom you have a HIPAA Business Associate Agreement (or it is hosted in house and those servers are properly secured per the HIPAA security rule requirements).

The HIPAA requirements not nearly strong enough. In short it states that you must encrypt medical records at rest and you cannot use a broken primitive, which is obvious. Whoever audits your system probably like to see AES. This is trivial to support, and an Amazon RDS MySQL instance already supports this out of the box with the aes_encrypt() and aes_decrypt() functions.

Where HIPAA and PCI-DSS fall short is that they don't state what mode of operation should be used. In fact MySQL's aes_encrypt() uses ECB mode, which is horrific. Further more, there are problems with enforcing security when using encryption at this layer. aes_encrypt() is easy to break by configuring mysql to log all queries. The AES key must be embedded in your application so if it is compromised, the attacker could read the value out of a configuration file and access the records. This is two points of failure that can be avoided by encrypting the data within your application and then transmitting cipher text to the database. But HIPAA doesn't care about this problem. HIPAA's other requirements, such as requiring a CISSP to analyze your application is more important.

I urge you to implement a secure system, but HIPAA wasn't designed well enough to care.