Your customer is mandated, by Federal law, to give you a Business Associate Contract. As guardian for their e-mail, you are mandated to comply with the same rules and regulations they must comply with and you must also ensure that whatever passes through your servers, whether IIS, FTP, or E-Mail, is in compliance.
If you want to provide the product to HIPAA covered entities, then you must be in compliance, and part of that requires that you are covered by a Business Associate Contract.
I provided the links for your review. If you don't comply, and your customer is audited, you will be too.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net
Phonr: (773) 491-9019
Phone: (224) 444-0169
E-Mail and DNS Security Specialist
Network Security Specialist
Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/
Web and E-Mail Hosting, E-Mail Security and Consulting