>>It turns out this can be done using e-mail. In this case the client has a secure mail back-end (Exchange) and remote staff can use either Outlook or Outlook Web App (web mail) for a secure connection to Exchange... trick is to send a ZIP file as an attachment to each staff as internal mail (don't send to any external mail domain).
I know you're in Canada but even the US HIPAA specifically accepts emailed confidential files as long as they're encrypted with something better than Zipcrypto. So your proposed model has support. 7Zip with AES256 is secure until the content is unpacked insecurely to the local device (which breaches HIPAA if the device is then stolen fwiw.) Consider something like Veracrypt: once opened with correct password, a Veracrypt repository behaves like an extra volume containing files that can be read/edited without insecure local copies.
"... They ne'er cared for us
yet: suffer us to famish, and their store-houses
crammed with grain; make edicts for usury, to
support usurers; repeal daily any wholesome act
established against the rich, and provide more
piercing statutes daily, to chain up and restrain
the poor. If the wars eat us not up, they will; and
there's all the love they bear us."
-- Shakespeare: Coriolanus, Act 1, scene 1
