OU structure

We are redesigning our AD OU structure and just wanted to get some feedback. Our structure/environment is fairly simple and straight forward, were just trying to clean it up some. We are a health organization that offers a software package to private practices, basically getting them on an electronic health record system. We have a colocation and we publish all required apps via citrix and all practices are connected through a vpn tunnel to the colo. Not all practices need access to all 3 apps we offer, some only need one while others require all 3. Right now we have an OU named ‘Practices’ with each practice nested underneath in its own OU named after the practice, with nothing but user accounts in each. What we want to accomplish with the restructuring is ease of administration and app/printer access. We have security groups created for access to the various apps, example citrix PM, or citrix EHR. Then we just add the various users from all the practices to give access. What we are thinking is to create security groups within each practices OU, then adding the users to the required security groups within the OU, then adding the group to the higher level security group. Also thinking adding to OU’s under each practice, one for ‘users’ and one for ‘groups’, just for visibility and separation from users/groups. Any feedback or suggestions? Is it bad idea/practice to nest security groups within each OU for the practice?