In this thread:
http://forums.asp.net/t/1982675.aspx?HIPAA+Compliant+Architecture
It was mentioned that data isolation is a requirement. I have not seen a CFR or NIST document that states that multi-tenancy can not be accomplished at the application layer. IE, all patient data in the same SQL tables in one SQL database.
If someone from this thread above who says that it should be can point to the guidance on that it would be great. To me it's silent.