"We hope to audit 350 covered entities and 50 business associates in this first go-round," Seeger said. "Selected entities will receive notification and data requests in fall 2014, with business associate audit subjects being included in 2015."
The audits and settlements are designed to spur compliance with the requirement that health-related entities and their associates secure patient information kept on mobile devices.
Read MoreMale MDs outbank women in Medicare money
"Our message to these organizations is simple: Encryption is your best defense against these incidents," said Susan McAndrew, OCR's deputy director of Health Information Privacy.
Since 2008, the civil rights office has sought and obtained just 19 settlements with health entities related to Health Insurance Portability and Accountability Act (HIPAA) privacy and security rule issues, mostly for some kind of data breach, the spokeswoman Seeger noted.
Those included one in 2009 with CVS Pharmacy, which paid $2.25 million, the largest such settlement ever, after media reports claimed the chain improperly disposed items containing patient information in dumpsters. OCR found CVS had failed to safeguard HIPAA-protected information, and also had failed to adequately train employees in how to get dispose of that information properly.
Another high-profile settlement came in 2011, when UCLA Health Services agreed to pay $865,000 after complaints that employees there had improperly viewed health information about pop singer Britney Spears and "Charlie's Angels" actress Farrah Fawcett.
But those and the other 17 settlements represent a tiny fraction of the 981 breaches affecting more than 500 individuals that have been reported since reporting began in 2009, reflecting the fact that OCR prefers to obtain voluntary compliance or corrective action, as opposed to monetary settlements.
However, OCR's looming permanent audit system could lead to more large settlements such as the one with Concentra, whose 330 locations serve 30,000 people each day in 38 states. The company, which provides occupational medicine, urgent care, physical therapy, and wellness services, boasts of treating one-out-of-every-seven worker's compensation case victims in the U.S.
Read MoreWhy cancer drug newcomer GSK is getting out: CEO
Concentra's data breaches included the thefts of two unencrypted laptops containing data about a combined 1,770 patients—one theft in 2009, and another in 2011. Seeger said Concentra also had 16 other breaches that each involved fewer than 500 individuals.
Entities must self-report breaches involving more than 500 individuals within 60 days of the event to OCR, but only have to report breaches involving fewer people on an annual basis.
"OCR's investigation revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information [ePHI] was at critical risk," OCR said in a prepared statement.
"While steps were taken to begin encryption, Concentra's efforts were incomplete and inconsistent over time, leaving patient PHI vulnerable throughout the organization. OCR's investigation further found Concentra had insufficient security management processes in place to safeguard patient information," the agency said.