The two federal agencies charged with enforcing the privacy provisions of the Health insurance Portability and Accountability Act of 1996 (HIPAA) have taken diverging approaches to the enforcement of HIPAA. As a result, the field of possible targets for a government enforcement action has been expanded to include persons and businesses not originally thought to be covered by HIPAA. This change raises oversight and compliance issues for nearly every business or person that may have access to health information related to an individual, referred to by HIPAA as “protected health information” (PHI). In addition, the employees of such businesses are now at risk under HIPAA’s criminal provisions. This new development means that businesses thought previously to be exempt from HIPAA should consider implementing a training program and taking steps to establish oversight of any activity involving the use or disclosure of PHI.