You can create a different SSID; GUEST and use security model or no security at all, since its a guest connection. One of the purposes of using a different SSID is for a different security posture per SSID.
You would then map the SSID to a VLAN to separate the traffic on the wired side. You need to make sure your wired side is ACL'd and switch config is clean, so your guest cant get onto your other subnets.
I would recommend, since this is a healthcare related implementation, you consider a DSL or cable connection for guest access and filter it through a WEBSENSE (or similar product) and firewall.
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________