HIPAA is specific to health privacy issues and SOX (Sarbanes-Oxley) only covers audits of publicly held companies....
Sending HIPAA data via email should be done via PGP or a CERT, but there is nothing limiting the originating IP.
Auditors frequently misunderstand technical topics and react with a shotgun approach.
SOX is really concerned more about accountability than confidentiality and, because of that, encrypted email is actually a bad thing here. Corporations would be required to hold private keys of officers for up to 7 years in order to comply with this...
The only place where SOX might apply is if a corporate officer were emailing confidential, audit related information from an external location... which means they're probably on shakey grounds anyway.
In order to comply with SOX, corporate officers would have to surrender their private keys and those would have to be kept in a secure location for 7 years to permit auditors to read all related email. Note that this is true for internal and external email.
We also have FDIC regs involving privacy of client information involved. At any rate, you're right in that they do tend to take a shotgun approach. In their defense, some of these emails do involve audit information and things like contract negotions, and managers tend to treat all email the same. If they use hotmail to send work email from home, they will generally send anything over it they would send through the internal email system at work.