A regional health information exchange (HIE) contracted with information security experts to perform a security assessment of the HIE's physical office, network infrastructure, operational processes and cloud portal. The governance of protected healthcare information (PHI) was originally addressed by the Heath Information Portability and Accountability Act (HIPAA), which was enacted in 1996 during the Clinton Administration. The task of properly managing ePHI was made more complex by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act established the HIE concept as a first step toward a national health information system. The security team recommended best practice is that all regional HIEs include information security risk assessment and information technology risk assessment tasks in their annual security assessment projects. The basic concept underpinning all information management and governance activities is the idea that information has value—and so needs to be managed and safeguarded accordingly based on its value.