One would think that the enactment of the HIPAA and associated mandates on data security and privacy has brought a major shift in the information security management practices across the US healthcare sector. Unfortunately, recent industry reports indicate substantially low level of regulatory compliance, thus raising security concerns to US health IT infrastructure. This research develops a regulatory compliance model by drawing insights from institutional theory literature to identify the key drivers influencing compliance, both institutional and market forces - e.g. mix of state and federal privacy regulations, pressure from compliance leaders in the region, and the consumer demand for privacy among others. The primary contribution of this research lies in the novel application of institutional theory to explain the variability in regulatory compliance prevalent in the US healthcare sector.