Not surprising, really. The only time companies get punished for non-compliance is when they are the ones accessing protected health information. No threat of punishment == no compliance.
That's not the case at all. HIPAA makes a distinction between covered entities (usually hospitals, doctors, insurance companies), business associates (people providing services for covered entities such as medical coding, transcription, IT services, etc.) that require access to protected health information, and everyone else who isn't allowed to access protected health information. If a covered entity loses or discloses protected health information, or is breached, that entity is responsible for fines under HIPAA, which are being levied regularly. e.g. http://www.healthcareitnews.co...
It might be nice to have a light sensor in my gutters that warns me if a downspout is clogged or they need cleaning before my annual fall cleanup. I have a whole house humidifier and when it gets to -10 like this week, it needs to be turned down or I get condensation on the windows. Smart things can do that for me. These are all things that ubiquitous computing can do, and that's pretty cool.
The average IT spend as a percent of revenues is around 2-2.5%. That varies depending on industry (tech industry is much higher upwards of 4%), but it's a good starting point. I'd look at where you are at now as a benchmark. As others have mentioned, you need to make a business case. What projects are being delayed, by how much time, and what is the effect. If the effect is that the company misses $200k in revenue or increases production costs, you can probably make a case for additional help. If the effect is the floor manager gets grumpy because he really would like this thing, you probably aren't going to get additional help, nor should you.