Sounds like you might be better off creating a custom MAPI Service Provider, and then connecting Outlook to it. That should give you a (relatively) clean programming model to follow without having to worry about messing with the Outlook UI... and also help avoid problems caused by users accidentally clicking the wrong button!
You absolutely can. You can use VSTO to do it. Here is an example of adding a context menu item to folders, but adding a button is very similar exercise.
A simpler way could be, sending the message which contains the link to the secured content on your website.
This will avoid the need of creating an addin/accidentally hitting "send" instead of "send secure".
EDIT: I mean, even if you send the email by accident, there won't be anything in it other than some instructions with a link
e.g. myopenid.com/username/patientReport?id=xxxxxxxxxxxxxxxxxxxxx
When clicked, user could be prompted to log in & see the details.
EDIT2: Yes I know, I am moving away from the topic of creating an outlook addin. But why go a difficult way, when a simpler solution can be derived? :)