I did a contract programming gig for UCSF Med in 2018-2019 and they had a highly competent, mercilessly detail-oriented internal IT team trying to find HIPAA/security holes in my app on the reg. I actually left the project because this level of security wasn't in the original scope of work. Surprised if they weren't applying similar standards to their internal data and backup strategy.
