Idea 1. Install full-disk encryption on all client machines. This way, the PDF will be downloaded to the machine, but it won't live in cleartext on the hard disk. You will have to investigate whether this works well with people's work habits and whether it meets HIPAA compliance requirements.
Idea 2. Don't send a PDF file to the client. Instead, render the document on the server side. For an illustrative example, look at Google Docs, which renders a PDF file on the server side, converts it to HTML, and sends your browser some HTML, which then is displayed by the browser. This way, there is no PDF file stored on your hard disk. Obviously, you're not going to use Google Docs to render sensitive medical PDFs, but you might be able to build some simple web application or server tools to render the PDF on the server side. For instance, you might be able to use ghostscript to convert the PDF file to a series of PNG images, then have the web page include the dynamically generated PNG images (not the PDF file itself).
One last reminder. Remember that if you don't want the contents of web pages to be stored on the user's hard disk, the web server will need to send special HTTP directives to instruct the browser not to cache the documents. Otherwise, by default HTML pages will be stored in files on the hard disk in the browser's disk cache, so even non-PDF pages could end up stored on the client machine's hard disk if you are not careful.
