I would definitely use it as a domain controller, along with DHCP and DNS.
Much easier to write your HIPAA compliance manual
Another suggestion would be to get at least a backup DC that could keep the AD and DNS databases fault tolerant. I know budget is tight, but spending a little now may save “emergency” spending later which is almost always more expensive.
At the very least make sure you have Raid 1, a tape backup, or something to protect the databases and files. 20 users is not a lot but peace of mind is worth the cost.
Another note, if this place qualifies as a 501c 3 nonprofit you can get ‘almost free’ Windows Server 2003 and a plethora of hardware and software at www.techsoup.org
It is a goldmine for qualifying nonprofits.