This study examines how a healthcare organization's security practices (including IT controls, policies, education, and hiring practices) influence their perceived regulatory compliance and security performance. We utilized qualitative and quantitative survey data provided by senior IT managers from 250 healthcare organizations. The data provides a snapshot of patient information security in the surveyed organizations. Healthcare organizations must focus on preventing breaches (which results in brand damage and direct remediation costs) as well as complying with government regulation (to avoid indirect costs, including fines and penalties). Using hierarchical linear modeling (ULM), we examine how specific security practices improve regulatory compliance, protect patient information, and minimize the impact of a breach incident. The results show that audit polices are positively associated with perceived regulatory compliance and security policies are associated with security performance. We also find that the interaction of both audit and security policies has a more significant effect than either type alone. Surprisingly, an organization's level of compliance is not significantly associated with actual security performance. This study contributes to demonstrating which security practices can help the organizations comply with the regulations and the effects of security practices and regulatory compliance on information security performance. This can provide healthcare organizations with strategic guidelines to improve their regulatory compliance and security performance. © (2011) by the AIS/ICIS Administrative Office, All rights reserved.