The onus of HIPAA compliance isn't up to the cloud provider, it's up to you and your organization's use of the cloud service. Compliance has to do with things like: data encryption, security of the access to the data, destruction of records, and so forth. Claims of HIPAA compliance may be only towards encryption of data in place, encryption of data in transit, and their offering of access security that enables you to do the job of compiling with the Act. It's up to you to ensure that you're in compliance, which means a quick education as to what's required for your use of (patient) data. May I suggest obtaining best practice information and extrapolating what you find to what you're doing, and educating those involved on what's required for your application prior to proceeding, as then and only then will vendor claims make sense to your situation.