Health care organizations are required to conduct a comprehensive security risk assessment to protect all electronic health information created or maintained by EHR systems. In 2009, as part of the economic stimulus legislation, Congress passed the Health Information Technology for Economic and ...