The Security Rule, effective in 2005, does not require encryption. It does require an office to protect emails that contain PHI (Protected Health Information). The regulation then suggests encryption as a solution for compliance. If you protect data by any other means (other than encryption), you must document how and why you believe this is adequate to comply with the regulation. The burden of proof is on the practice.
In 2009 the HITECH Act passed which required HHS to name a definitive standard which was done. This standard said if the encryption standard, NIST publication 800-52, is not used and the data is lost, stolen, hacked, or otherwise exposed; it would be a breach requiring an expensive process of notification (see the Final Breach Regulation from 2009).
So the bottom line is yes, a practice needs to secure the transmission of PHI. Encryption is the safest and easiest way to accomplish this.