absolutely. and if you started to use a backend sever, you could assign roles to your users and harness the power of IAM through firebase auth and really narrow down who has access to what docs.
Firebase can be used in HIPAA compliant systems when implemented the right way. It’s safe. What you need to worry about is your security rules. There are some good threads about that in the community.