If my vendor says that the system we are using is HIPAA Security compliant, does that mean we are also HIPAA Security compliant?

No, it does not.

A system in and of itself cannot be HIPAA compliant because the administrative controls and practices of the user must also be considered and evaluated.

Only a Covered Entity (CE) can be HIPAA Security compliant. (Note: This is explicitly stated in the regulation.) The HIPAA Security rule requires that the CE entity either implement or address the administrative, physical, and technical security standards and specifications described in the rule. For example, HIPAA requires that a security risk assessment be performed and that documented security policies and procedures for the CE organization be in place and maintained for six years.

While a system may support many or all of the required technical safeguards, a CE cannot be HIPAA Security compliant until it has documented and addressed all the administrative, physical, and technical standards and specifications that the rule requires.