All well and good, up to a point. You should, however, be able to protect the files and folders where SM data is stored, using Windows security, without encrypting those files/folders. I have had entire SM email servers blocked for file access for anyone but admins for years. If your SM server is running on a file server with shared (document, etc.) folders, you can still do this quite easily.
Setting up your SM server datastore so that only admins have rights to those files/folders does NOT prevent the flow of email to and from the datastore, because that happens over different mechanisms than file/folder access rights.
That said, encrypting the data does take up processor time, and certainly can make recovery of mailboxes and emails more difficult. I can see where some folks would need it or want it, but along with the "view password" issue, it's definitely not desired in many cases, as it adds administrative and processor overhead.
Regarding HIPAA security, employers generally, by law, have full rights to peruse the BUSINESS emailboxes of employees, when they provide company email. How HIPAA laws affect these rules, I have no idea. Would not mind being enlightened on that point.