Also have this question, anyone?
We constantly share this concern with our shared iPhone/iPad not just for patients but also for employees as well. Depending on the use case, there are several options.
Take the patient's iPad as an example. At the minimum we enable 'Force WiFi whitelisting' so that the iPad won't be able to connect any WiFi outside of the hospital network. We also, of course, push down only approved apps via VPP and hide the App Store to further discourage the user from taking the iPad home. I thought of enabling geofencing either on top of the above or as an alternative, but I'm concerned the iPad would just be dead in the water as none of them has an active SIM card. Either way, we are far ahead than most if not all as long as our devices are supervised.