Enforcement of the privacy and security rules that protect patient health information may have been lax in the past, but those days appear to be over.

In 2011, Massachusetts General Hospital and its physician organization ponied up $1 million to the Office for Civil Rights to settle potential violations of the Health Insurance Portability and Accountability Act privacy rule. The reason: A Mass General employee left a patient schedule that included the names, diagnoses and other protected health information of 192 patients on a subway train.

Shortly thereafter, the University of California at Los Angeles Health System paid $865,000 to settle with the OCR after unauthorized hospital workers looked up the medical information of celebrity patients.

Also in 2011, Cignet Health of Prince George's County, Md., was socked with the OCR's first-ever civil money penalty — a $4.3 million hit for violating the privacy rule and refusing to cooperate with the OCR's investigation.

"Everyone in the industry was aware of the fact that there had been thousands of complaints logged with the OCR about potential privacy and security violations and, up until a couple of years ago, not a single enforcement action," says Patricia Markus, a health care attorney at Smith Moore Leatherwood in Raleigh, N.C.

That apparently has led some hospitals, physician offices, health plans and others to become lax. In a report issued last summer, the Office of Inspector General for Health & Human Services said its audit of seven large hospitals uncovered 151 "vulnerabilities," of which 124 were so serious that they could result in the loss of major assets, significantly violate an organization's mission or reputation, or result in human death or serious injury. Shortly thereafter, HHS hired KPMG to audit the privacy and security practices of up to 150 covered entities by the end of the year.

Dina Marty, counsel for Wake Forest University Baptist Medical Center, Winston-Salem, N.C., says compliance is both easier and more difficult — and more expensive — as technology becomes more sophisticated. "It's a constant battle to stay on top of all of this because technology is changing so fast," Marty says.