>>The irony here is that while a lack of remote access exists because of the new privacy regs - access to the database is allowed in a relatively unsecure manner.

TECHNICAL LEVEL
The above slogan is out of date- the CONSTRING setting since VFP7 makes it easy to prevent access to data except by a DBA or via the application. And don't forget that a hacker/disenchanted ex-employee can still call a SP if he/she knows the parameters and a sloppy developer relies on user execute privileges for "security".

REAL-WORLD LEVEL
Since as much as 75% of misuse of patient data is caused by admin staff abusing their privileges with less than 5% by "hackers", Application behavior, process, professionalism, peer review and management are concerns that often come before the geek stuff anyway. An external contractor accessing patient data remotely with admin privileges is likely to ring the HIPAA alert bell far more than whether the application saves data via SP, RV or little green men waving semaphore flags.

>>Also, it is interesting that you chose to go the route that made it (seemingly) easier for you to maintain as opposed to what would be a better architecture for the client.

How can this assertion be validated when you know so little about the customers' needs or exactly what the app needs to do. This is just another way of saying "SP is always best... because SP is always best."

>>I say seemingly because maintaining client-side embedded SQL that is passed to a server actually requires more effort to maintain.

Piffle.

>>Having a good deal of experience in these kinds of systems, all I can say is that I would not advise others to go the route you chose.

She has dozens of customers and you have... what... one such customer? Yet you have a "great deal" of experience, enough to know better than she what her customers need and how to deliver it?