ISPconfig is only as HIPAA compliant as its services. The question becomes is Postfix HIPAA compliant and I have not found anything that says it can be made to be.
Not sure where to begin on answering that so I will just say that for us who must comply, there are myriads of rules related to PHI (patient healthcare information) that deal with both physical and electronic data. There are HIPAA regulations and then there are the HITECH provisions of HIPAA that deal with data that may contain PHI. I agree with WEBGUYZ above. First would be the components (Dovecot, Postfix, etc) and then the management tool to support them.
You can run postfix and dovecot with tls/ssl. But afaik you must also store the data somewhere else and make sure, that this data could not be modified (something like a mailarchive).
