Research on the human element of information security is fragmented at best. This paper presents a management framework for organizations in the health care industry who wish to improve their information security procedures in an effort to comply with HIPAA and other regulations. The emphasis is on securing an organization from internal threats by adequately educating employees and building an organizational culture where security initiatives are valued and respected. The premise of the paper is that a cultural approach is the only way to gain the versatile security environment needed to comply with regulations as vast and complex as HIPAA. We argue that this framework demands that empirical data be collected through careful industry research with health care providers so as to prove the real world value of its application.