Also, SOX and PCI audit issues come up. I don't know about your situation but if those compliances are needed then check for those credentials. Or in this case I guess HIPAA regs. In other words, if your company is already spending major brain damage on internal audits then I'd say you have to at least match that security level. I would not think you could just get away with a general statement. Your HIPAA auditors will want details on the cloud "supplier".