Password policies are a mandatory requirement with HIPAA. Password managers offer a good security layer, but yes, this single layer is vulnerable to keystroke malware capturing the master password. Pairing this with a hardware token such as a Yubikey, makes this a much stronger layer. Google Authenticator (which is a multi factor authentication solution) is a stronger security layer than passwords alone, but it's still not a silver bullet. Security layers must be blended together to be effective.