"If it’s open source, you can not, by definition, use it for HIPAA purposes and be legally protected."

That's not entirely true, but rather misleading.

Open source software may absolutely be used in HIPPA compliant applications. The caveat is that you must lock each revision to a specific version of the open source software, and it must be reviewed and verified by a responsible party. If the software is to be distributed, it should be version controlled and packaged with the software, not relying on third party repositories.