The patient can use that url again (this is nice so you don't have to send out new links every meeting), but only the clinician (you) can initiate the meeting. So it doesn't do them much good to check in. You'll see them check in but you don't have to start a meeting with them. You can click the 'x' next to their name to remove them from your waiting room.
We do have a passcode feature if this is a concern for you. To set a password: Go to Account Settings---> Room Settings---> Check 'Use Room Passcode"---> Select a Passcode