Well, I'd start with the acronym before even considering testing. It's HIPAA (Health Insurance Portability and Accountability Act).
One thing to strongly consider and discuss with the client would be the need for a BAA (Business Associate Agreement). A BAA is a contract between a healthcare provider and a business that may have access to PHI (Protected Health Information), which is possible during a penetration test. Even if you narrowly scope it to avoid things like an EMR (Electronic Medical Record) system, a tester may run into PHI. I recently ran across a drug screen result report on an employee laptop during an investigation. It was their report, but it was PHI that needs authorization for access.
HIPAA does not require "penetration testing" specifically as a method to test certain controls. However, HIPAA does require that controls are frequently audited (just like any other "compliance thing") and that certain controls are in place (compliance thing again) to protect health information. Looking at recent audits, risk assessments, or other testing would be a good place to start when scoping the pen test.
Also remember, determine which systems are critical. In the case of a healthcare provider, it can really be a case of life or death if a critical system goes down. If a first responder alert system stops "talking", it is a pretty big deal.
That's a start...
(Took a while to type this up...but like you said above - BAA.)
Look into the requirements for HIPAA and understand why it was started and what the goal of it is. The requirements are actually more straightforward and simple than things like SOX. Get balls deep into it all and figure it out. Lots of stuff out there.