Enforcement of the privacy and security rules that protect patient health information may have been lax in the past, but those days appear to be over.

Earlier this year, Massachusetts General Hospital and its physician organization ponied up $1 million to the Office for Civil Rights to settle potential violations of the Health Insurance Portability and Accountability Act privacy rule. The reason: A Mass General employee left a patient schedule that included the names, diagnoses and other protected health information of 192 patients on a subway train.

Shortly thereafter, the University of California at Los Angeles Health System paid $865,000 to settle with the OCR after unauthorized hospital workers looked up the medical information of celebrity patients.

And in a third enforcement action this year, Cignet Health of Prince George's County, Md., was socked with the OCR's first-ever civil money penalty — a $4.3 million hit for violating the privacy rule and refusing to cooperate with the OCR's investigation.

How times have changed.

"Everyone in the industry was aware of the fact that there had been thousands of complaints logged with the OCR about potential privacy and security violations and, up until a couple of years ago, not a single enforcement action," says Patricia Markus, a health care attorney at Smith Moore Leatherwood in Raleigh, N.C.

That apparently has led some so-called covered entities — hospitals, physician offices, health plans and others — to become lax. In a report issued this summer, the Office of Inspector General for Health & Human Services said its audit of seven large hospitals uncovered 151 "vulnerabilities," of which 124 were so serious that they could result in the loss of major assets, significantly violate an organization's mission or reputation, or result in human death or serious injury.

Shortly thereafter, HHS hired the consulting firm KPMG to audit the privacy and security practices of up to 150 covered entities by the end of next year.

Smart health system executives are spending more time, energy and money to bolster their efforts to comply with the privacy and security regulations. Dina Marty, counsel for Wake Forest University Baptist Medical Center, Winston-Salem, N.C., says compliance is both easier and more difficult — and more expensive — as technology becomes more sophisticated.

Encryption technology properly secures protected health information, but if physicians download patient data onto thumb drives they bought themselves that information may be secure. Another layer of security can prevent unauthorized thumb drives from downloading patient information — but at a hefty cost.

"It's a constant battle to stay on top of all of this because technology is changing so fast," Marty says.