My experiences on this suggest that any company that both produces something classifiable as PHI and large enough to have dedicated IT / Legal staff have fairly draconian policies that include "every attachment that is mailed to a mail server that is not ours is stripped".

When individuals work around these policies, there tends to be some level of legal shielding for the larger business entity when it is investigated.