If I understand your situation correctly your healthcare environment users only access the domain (through VPN) once a quarter or so. You keep them on the domain so that you can enforce regulatory compliance.
If I were designing your system from scratch I’d make the laptops inexpensive but encrypted devices that are not members of the domain and set up virtual machines for the users to login to through the VPN tunnel. That way all your policies are fully enforced and they still have a word processor/spreadsheet generator on hand for when they’re off the wire. The cost of the virtuals is offset by the lesser costs of the remote devices - and you can let your people use anything to access the virtuals with - including tablets or iMacs.
If you’re stuck with your existing configuration I’d start working on those ‘other things you can do’. Set up a seperate container for those devices and generate a policy set thats as small as possible. Don’t have them access the network for anything by login script network drive mapping (unc via shortcuts on desktop instead), set up split tunneling so that they only access your network for services that are on the network (particularly DNS). Provide them with as little network services as you can - and keep them off your network entirely if they aren’t fully patched and service packed (network access protection via remediation server).