Clinical information systems (CIS) significantly influence the quality and efficiency of health care delivery. However, CIS are complex environments that integrate information technologies, human stakeholders, and patient-specific data. Given the sensitivity of patient data, federal regulations require healthcare providers to adopt policy, as well as technology, protections for patient data. Ad hoc system design and implementation of CIS can cause unforeseen and unintended privacy and security breaches.