This study examined the adoption of security practices, with the goal of identifying dominant configurations and their relationship to perceived compliance. We utilized survey data from 204 hospitals including adoption status of 17 security practices and perceived compliance levels on HITECH, HIPAA, Red Flags Rules, CMS, and State laws governing patient information security. Using cluster analysis and t-tests, we found that three clusters of security practices are significantly associated with different levels of perceived compliance. We demonstrated significant differences among non-technical practices rather than technical practices, and the highest levels of compliance are associated with hospitals that employed a balanced approach between technical and non-technical practices (or between one-time and cultural practices). Our results provide security practice benchmarks for healthcare administrators and can help policy makers in developing strategic and practical guidelines for practice adoption. © (2012) by the AIS/ICIS Administrative Office All rights reserved.