There are many ways in which to accomplish this task, but we use loop and reduce through the QV publisher. As we are a payor, we create a Security Group field in Qlikview that authorizes people to see certain clients. A unique document is created for each group and we us AD permissions to allow individuals to look at the limited data.
The only con to this is that you need a seperate analytic for each Security Group on your accesspoint. Depending on the number of "Security Groups" you have and your server size, this may be a limiting factor.
We also scramble certain fields based on the Security Group with a marco.
All in all, we are very happy with QlikViews ability to deal with HIPAA requirements in our organization.