With HIPAA compliance requirements EVERYONE with access MUST have their own login's that's not just for HIPAA compliance but it's for audit trail as well. With that said there are various ways for restricting access to read/write within the PM systems, this can be done on either the remote access software end or in the PM system itself. For example, I have clients who have access only to their reports and data to view, but I also have clients who want access to make changes and again there is an audit trail that will let you know what's changed and who changed it, (providing compliance is adhered to with log ins and access for only those who have need to know) This all has to be addressed with the client, what their wishes are and should be very well detailed and outlined in each contract.