Two weeks ago, the feds got serious about HIPAA enforcement, fining a two-location clinic $4.3 million, and a hospital $1 million, for privacy breaches.

In the first instance, the clinic failed to provide copies of medical records to 41 patients who requested them and, although the patients complained to HHS, according to the report, the clinic failed to cooperate with the investigation, and continued to refuse to provide the records. The penalty was increased for each day the clinic did not cooperate.

The second instance was the accidental loss of unencrypted mobile media containing 192 medical records by a hospital employee.

Taken together, these fines represent $22,746 per patient record breached, in addition to the costs of increased reporting to HHS, increased scrutiny by HHS, measures to protect patients from identity theft, and hits to the reputation of each facility. Costs will end up being re-paid by -- who else? – patients.

Lesson learned? The government has gotten serious about HIPAA and its HITECH amendments. If there is any area of either law in which you or your business associate is not 100% compliant, you’d better find a way – quickly – to get there.