It's really about who is willing to sign a business associate agreement and take the fall if something bad happens. Complexity just varies based on the implementing-companies aversion to risk. Bigger companies (appear to) have more to lose and therefore (might) implement more robust and complex solutions. A smaller company might flout more best practices than you're willing to accept - and then you can pretend to be ignorant rather than asking for an explanation about their infrastructure and hope it doesn't bite you in the ass (since you're still responsible for vetting companies even when you've initiated a business associate agreement). Both are "HIPAA-compliant", but the smaller company probably isn't HIPAA-compliant in the way one might hope.

Of course, there are people who are very afraid of what might happen if they don't take HIPAA seriously even at smaller companies. I suppose those companies turn into big expensive companies pretty quickly.

Not sure how big rsync.net is, and no I'm not advertising, but their pricing is reasonable and I trust that they really are HIPAA compliant in the way that I'm willing to accept. So this isn't a strict rule, but I do think that there are a lot of situations where you have a non-compliant product that is more compliant than the "HIPAA-compliant" product.