Yeah, that’s a good summary and my general take on the state of HIPAA compliance also. Like, you can’t ask either Galaxy or AWS to be HIPAA compliant for you.
Mostly what AWS does with its HIPAA Tier is it rules out various services which are specifically known NOT to be compliant. The big example historically was Elastic Beanstalk, which will install containers from different vendors on the same server; which could be a problem if there were ever a configuration hiccup. So they don’t even offer it; and they assume that any org in the HIPAA Tier will want to manage their own servers.
Mostly, an org that wants to use Galaxy to host a HIPAA compliant app needs to treat it’s liabilities as ending with FCC laws around wiretapping. For HIPAA purposes, basically just treat Galaxy as a snazzy telco infrastructure provider.
You’ll still need to implement user accounts, audit logs, encrypted data on the wire and on disk, policies and procedures, etc. All of which is the far more difficult lift.