I think you need to speak with consultants that are specialized in HIPAA (not HIPPA right?) compliance as there are may levels / layers to their requirements and some are just guidelines rather than requirements.

NAS's are not all the same, you may not even need a NAS. I read through some of the guidelines but I would not consider myself to be a good source of information.

Something to bear in mind, you may be fine with direct attached storage (external) if you aren't sharing the disk space out and using a compliant encryption application.