Insider threats in health care systems constitute the majority of patient privacy breaches. To mitigate such insider threats many research proposals were made to develop anomaly detectors based on past behavior patterns and data mining audit trails to investigate abuses in networks and organizational settings. However such systems detect rather then prevent breaches. In this paper, we argue that current health security systems do not consider the risk level of the authorized user and lack a reward/penalty mechanism for proper data handling. We propose that building such a tool, as an add-on to an access controller, would help dissuade users from committing privacy breaches. We propose a framework for scoring user behavior regarding privacy risk by drawing concepts from psychology, anomaly detection theory and item response theory. We test our method with synthetic data and demonstrate its efficacy. The model provides improvement in information management, information access, and the training of care providers in handling patient data.