You’re right, the real distinction is on-premises vs off-premises, I should have made that more clear (although free software implies on-premises being possible)
The distinction is that companies that require HIPAA workloads aren’t going to upload their entire dataset into Google Cloud Spanner, which is not available as on-prem version, and which isn’t HIPAA certified.
So either we need an on-prem version of Cloud Spanner, Cloud Spanner needs to be HIPAA certified, certified to match German privacy laws, etc, or Cloud Spanner can’t serve these situations.
Google, and Amazon, and MS, undergo extensive third-party audits and people can, and do, run HIPAA workloads there.
I’m not sure what distinction you are trying to draw.