We are now approaching the territory of "Seemingly simple questions it is maddeningly difficult to get a straight answer on", but I have discussed this with multiple lawyers, often experts at HIPAA under the employ of enterprise clients, and "You don't own the hardware?" has never been a dealbreaker for them.

YMMV. Ask a lawyer if you want to sleep better at night.

I will close with the observation that, empirically, the system that you and I come up with is OMGWTFROFLSTOMP more secure than what passes for state-of-the-art at many of our clients. ("We didn't want the data to be stored in a database, because that isn't secure, so just think of worse places to put data because I think I've heard them all.")