I assume you say "mostly made up" in the derogatory sense - how come? I'm basically okay with the spirit of what HIPAA is trying to accomplish, which is not sharing my medical information with anyone I don't explicitly authorize, accidentally or otherwise.

I'm no expert, but from what I've seen, both medical and financial regulation aren't nearly as detailed and absurd as IT-Risk/Compliance make them out to be. They don't say that you can't host with AWS (or AWS private cloud), but both those departments will insist that you can't.

It really comes down to being an unknown and it being easier (and perceived as safer) to "just say no". It isn't the regulation that I dislike, it's that said regulations are used to keep large organizations in the stone age. And, to be honest, from what I've observed, it really comes down to people not wanting to learn/work and having a powerful excuse (REGULATIONS!!) to avoid doing so.

Absolutely correct. Anyone who tells you that HIPAA requires you to do XYZ is full of shit. The difficulty with HIPAA is that it sets a very basic framework that you have to fill in with your own policies and procedurs. How strictly you follow your own procedures is what will get you in hot water.