Two-day workshops in April, May and June have been set to train state attorneys general in HIPAA enforcement. The economic stimulus law attached stronger penalties for HIPAA privacy and security violations, and perhaps more importantly, removed sole prosecutorial powers from the Office for Civil Rights at HHS (OCR) for enforcement of federal privacy and security provisions by granting dual enforcement authority to state attorneys general. Going further, the law also expanded application of HIPAA criminal provisions to any individual who obtains or discloses health information kept by a covered entity -- not just the covered entity itself -- which essentially reverses the Bush administration Justice Department, which held that only "covered entities" are eligible for prosecution. So, if that EHR software company has an oopsie with your medical records, your state attorney general can go after it. CHOMP! Read the Modern Healthcare article.