>>I don't see that as the issue at all
Obviously. This is what concerns me; the difference between an external contractor having remote admin access to a patient database, and an application used by clinical/clerical/management staff saving and accessing data, really ought to be immediately obvious even to those who know nothing about HIPAA! Something is blocking the view here.
"... They ne'er cared for us
yet: suffer us to famish, and their store-houses
crammed with grain; make edicts for usury, to
support usurers; repeal daily any wholesome act
established against the rich, and provide more
piercing statutes daily, to chain up and restrain
the poor. If the wars eat us not up, they will; and
there's all the love they bear us."
-- Shakespeare: Coriolanus, Act 1, scene 1