The questions I would ask are: the application is written in JAVA, so what, but how is it stored BEFORE it is transmitted to your system. Is it in an Oracle database with encrypted fields and tables or in some sort of in-house created data structure like a linked list?
Next is what happens to the data once it is encrypted and sent to you? Do they save it away somewhere on the server or delete it or ????
Next is what is on your end, I.E. an Oracle database with encrypted fields and tables and how is it imported into your system. Once you import it what do you do with the files, save them, delete them, ??????
Last of all is there a particular reason they don't use HTTPS or VPN or other somewhat secure transmission method and why is no one watching their transmission path I.E. the stops and jumps to see who is watching what they send or you gather?
Some references:
https://www.healthcareitnews.com/blog/9-steps-secure-phi-file-transfer-under-new-hipaa-rule
http://www.onlinetech.com/resources/references/what-is-hipaa-compliance
And Finally:
https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html
I would venture to say your company is just waiting to get a huge shaft from the government if someone raises hell!