Your thoughts on vendor requiring all users to login to a MS terminal server with the same username and password
Solution 1:
If the files are stored at the filesystem level without user-based encryption and with no ACLs then yes, run away. If ALL data was stored within the database then I would feel slightly less hesitant but even still, any vendor that says it's ok (especially when HIPPA is in the mix) to use shared ID's is suspect in my book. If you join the machine to a domain then there is nothing confusing from the end user's standpoint about using their own individual ID. Rather, it would be more confusing for them to have the additional shared ID.
Solution 2:
Agreed, with profile sharing comes a whole host of issues - not the least of which is the inability to have good accountability (or even ANY accountability) for exactly who did exactly what and exactly when it happened. Find another vendor - one that adheres to basic security principals. Try to find someone with a SAS 70 type II certification if possible. I'll guarantee those organizations won't allow profile sharing. Thanks for asking before jumping into this one and regretting it later.