Doctors, hospitals and insurance companies using electronic health records are required by law to report security breaches to patients and the government — but only after they have done their own risk ...