Is it okay for our IT support contractor to remote in without authorization?
You haven't actually provided enough details to say one way or the other. The fact that you didn't see an authentication prompt doesn't preclude there from being one.
The remote access tools I use in my job (which also deals with HIPAA) both require me to authenticate with my domain admin credentials and do not prompt users to accept the connection, because I've configured them that way.
HIPAA does not get to specifics of policy, the substance of it is that organization have to have sufficient controls in place to protect data. There's nothing inherently wrong with an unprompted takeover from a HIPAA perspective, as long as other controls (authentication, authorization, access control lists, access logging and auditing, antimalware on the support PC, legal agreements in place between the support organization and your organization, etc) are in place.
So without knowing what your organization has in the way of IT security policies, processes and procedures there's no way to tell.
As for whether unprompted take-overs are a good thing then no, they are not. You really want to have a warning when someone is taking over your PC for support, or even looking at your screen.