If there is no need for someone to have access to all the records, my recommendation would be to break this out into separate cubes for each client. That is the easiest way to do the security. If EMR is emergency medical records, this might be a legal requirement. Security at the cube level is much easier to implement. The dimension isn't hard. But in a similar situation to you that didn't involve medical records, I created a separate data warehouse with just the information the customer would want to see.