WordPress itself is not HIPAA compliant, so there would a clause that you should never store any PHI on the site.

BuddyBoss is a Theme/Platform plugin, which does not change the situation of where the data is held/stored.

The main challenge with HIPAA is that you’ll need to ensure you’re using compliant web-hosting and that you have an ongoing audit for any activity on personal information, along with the appropriate security procedures in place.