Hosted email services are not considered HIPPA compliant. They will need to host their email server in house and use email encryption between all users, and even then someone will get stupid and send an email with PHI to someone they shouldn't, and then here comes HHS to bust you.
Essentially, your physicians / staff will send email with PHI outside their firewall, to land on a server outside their direct control, and then re routed to the recipient, who more likely than not won't have any serious security to protect the contents of that email.
We secure fax imaging reports to physicians (or directly to their EMR via HL-7 interface), if they want to see the study they have to logon via SSL client to PACS. Any EMR / HIS / RIS / PACS worth the trouble to have will have the ability for users to logon off site (home, other office, etc), so that physicians can collaborate on particular case studies.
Essentially, you have to account for every place the PHI is accessed from, where it went, where it's stored, who had access to it, blah, blah, blah... In the event of a complaint, HHS will demand an audit of the PHI in question, and if they find out it was just emailed out to anyone without encryption, here come the fines.
For an in house LAN messenger I use Softros LAN messenger, that way staff (all behind the firewall) can message each other with all the PHI they want, it's behind the firewall. Softros Messenger also works via WAN as well.
So to make a long winded explanation short, don't send email with PHI via hosted services, ever. If they just gotta, then host the email server in house with full encryption between ALL senders / recipients, even then it probably won't save you during a HHS inspection / audit.
