Agree that this is a very messy situation.

Most health information transferred online between patients and other entities goes through a portal rather than email to ensure PHI isn't transmitted over unencrypted SMTP or simply forwarded on to some insecure mail server. I.e. data loss prevention.

Wherever it goes, there are a various services that can be used to ensure the file is not malicious. Probably API integration with Palo Alto WildFire or ICAP protocol with Opswat would be the best choices. Neither would be affordable for small government offices.