Providers need to start tightening the screws on their privacy and security programs because scrutiny is about to get a little harsher.

Typically, the Health and Human Services Office for Civil Rights has conducted audits as a way to educate providers. But now, the agency says it will begin focusing more on enforcement, using harsher investigative tools to “hold bad actors accountable,” Bloomberg reports, citing OCR Director Roger Severino.

Tools could include everything from subpoenas to legal action, being forced to pay victims, having to put corrective plans in place, and even statutory penalties, the report says. OCR in general has been toughening its enforcement actions the last three years,  forcing providers to better prepare themselves.

“You want to be able to demonstrate that you’re taking privacy and security seriously and that your HIPAA compliance plan is being used and not just sitting on the shelf,” Deborah Gersh, an attorney with Ropes & Gray in Chicago, told Bloomberg.

Penalties for violating the Health Insurance Portability and Accountability Act can range from $100 to $50,000. The OCR receives about 20,000 complaints of violations each year. In one example of the tone being set by the agency, insurer Aetna recently agreed to pay a $17 million settlement following a data breach in 2017.

Experts urge providers to perform a risk analysis and study the OCR’s audit protocols to help prepare for future reviews by the agency.