I believe the problem with the original posters problems is that it possibly also involves state/government systems not just a small company like a medical office trying to be HIPAA compliant.
I worked for a doctor's office and it wasn't very big at all and the providers could access their messages and patient's charts from home. (I believe they could also access them on their phones)