I was under the impression that HIPAA applies to anyone in possession of private healthcare information (medical information tied to personally identifiable information)

As that link states, HIPAA extends to "business associates". Google isn't a "covered entity" as that has a specific definition, but it is a business associate in relation to a covered entity (e.g. health care providers). The reason for the two different terms is because covered entities deal with patients directly, thus have certain rules that only apply to them in relation to interacting with said patients. Since Google is a business associate that does not directly interact with patients, only the rules specifically in relation to PHI and other business activities apply as others (e.g. patient interaction) are moot.

Protected Health Information is protected under HIPAA for both covered entities and business associates alike. Otherwise, HIPAA would be pointless if covered entities could just pass the PHI to business associates or shell companies unfettered.

Note: I would not consider myself a "HIPAA expert", but I'm a clinical researcher that has to ensure HIPAA compliance for my lab.

At least from the last time this came up on HN, it was about Google's software being used via a server actually owned by the partner hospital, and google's access was "only via a few employees"; IIRC it wasn't data stored on their servers, or it was only stored via Google Cloud Storage (and I doubt they'd compromise security on GCP buckets for advertising purposes).