Here's a scenario:
Now, is this a HIPAA issue? Is there anything a CPOE vendor can do? There are other things like clipboard, screenshots, etc., all resulting in a similar issue.
I asked a somewhat related question a while back, and after add'l research, I think I have an answer for you.
Short answer is Yes, it's a HIPAA issue. However, it is not implicitly a HIPAA violation. I'll assume that since you're discussing CPOE from the system in question, we're taking an provider organization's workstation, or a provider's workstation. In either case, onus is on the workstation owner to have implemented proper security measures and practices to protect this information as it has been left on the machine.
1) The cache/download folder should be able to be cleaned quickly and implicitly via any "cancel"/abort action baked into the UI workflow, leaving no trace of PII/PHI. (If you've launched acrobat and it triggers a download to your download folder, I'm assuming we're at the point where the user has said "generate this". Care providers may not like a pop-up every time that reminds them of the HIPAA considerations, however the 'do not show this message anymore' pattern should suffice.
2) Smart configuration of system (e.g. windows) authentication can protect the signed-in user's file structure (including the cache/download folder). If nobody else can get to this data without authenticating, it's potentially okay.
3) Most responsible organizations dealing with HIPAA compliance have strict auto-logout procedures (e.g. 10 mins), however walking away w/o logging out and leaving Acrobat open as you describe is not a good move (so don't burden users with this liability in your product design). This should be part of a more comprehensive, published, and frequently maintained security framework for the organization's HIPAA compliance.
4) The data/disk had better be encrypted in case the workstation gets into the wrong hands.
Bottom line is, pretty much any application which offers 'print' capability can introduce the workflow you're asking about. As such, this in and of itself is not a HIPAA violation.
My related question had to do with an assumedly different scenario, where I was inquiring about providing a patient with a copy of clinical documentation. The answers here basically confirmed that as long as you're explicitly stating the handoff of ownership of this data to the end-user (who's assumedly logged in to be granted access to the document in the first place), you needn't password-protect, encrypt, etc., the document itself.
Hope this helps. Also browse the other HIPAA-tagged items here, as there's lots of discussion about transmission, storage, etc.!