[superuser2]

HIPAA compliance is 99% paperwork, policies, and procedures. There are technical safeguards, but they're things you'd be irresponsible not to do anyway: have individual user accounts, encrypt things, lock workstations after periods of inactivity, have reasonable password policies, etc. And it's pretty dated - as far as I know 2FA isn't even mentioned. It also doesn't include things you'd think it might: no medical practice is actually using PGP. Microsoft Exchange as far as they eye can see. Maybe, if you're lucky, a central gateway so that outgoing emails show up as a link to a web portal where you can log in and view the message.

Most of HIPPA compliance (from an IT perspective) is having a comprehensive security policy and documenting that you're doing certain activities with the appropriate frequency: risk analysis, security audits, auditing user accounts and privileges, security training for users, etc.

I think the biggest barrier to getting HIPPA compliance on more infrastructure providers is that infrastructure providers are engineering organizations, and HIPAA is mostly a CYA activity for lawyers (plus some easy, obvious OPSEC).