HIPAA enforces nothing other than a pinky-swear-promise of compliance. There are hundreds, if not thousands, of middlemen who sell SaaS like this to medical professionals. If one suffers a breach then shuts down, your doctor will just switch to the next one in line with no consequences because "they promised they were compliant". Meanwhile all your medical details will end up in a public dataset forevermore.