Close X
Attorney Spotlight

How did Sylvia Yi's previous work at the Department of Homeland Security prepare her for working with government contractors at Bass, Berry & Sims? Find out more>


Close X


Search our Experience

Experience Spotlight

On December 1, 2016, Parker Hannifin Corporation and CLARCOR Inc. announced that the companies have entered into a definitive agreement under which Parker will acquire CLARCOR for approximately $4.3 billion in cash, including the assumption of net debt. The transaction has been unanimously approved by the board of directors of each company. Upon closing of the transaction, expected to be completed by or during the first quarter of Parker’s fiscal year 2018, CLARCOR will be combined with Parker’s Filtration Group to form a leading and diverse global filtration business. Bass, Berry & Sims has served CLARCOR as primary corporate and securities counsel for 10 years and served as lead counsel on this transaction. Read more here.

Close X

Thought Leadership

Enter your search terms in the relevant box(es) below to search for specific Thought Leadership.
To see a recent listing of Thought Leadership, click the blue Search button below.

Thought Leadership Spotlight

FCPA: 2016 Year in Review & 2017 Enforcement Predictions

A review of trends and developments in FCPA as well as a look ahead into what to expect for 2017. This report aims at providing corporate leaders and companies with the knowledge they need to comply with the FCPA and avoid litigation in 2017.

Read now

New HIPAA Privacy and Security Rules Impact Employer-Sponsored Group Health Plans


April 19, 2013

Earlier this year, the Department of Health and Human Services ("HHS") issued the long-awaited final regulations (regulations available here; Healthcare Practice Group alert available here) modifying the Health Insurance Portability and Accountability Act's privacy and security rules (collectively "HIPAA"). The modifications included rules pursuant to the Health Information Technology for Economic and Clinical Health Act ("HITECH Act") and the Genetic Information Nondiscrimination Act of 2008 ("GINA"). In general, HIPAA covered entities must comply with the new rules in operation beginning September 23, 2013.

Below is a list of action items for employers that sponsor group health plans that are considered HIPAA covered entities, including self-insured group health plans (which include most healthcare flexible spending accounts and health reimbursement arrangements).

  • Notice of Privacy Practices: HIPAA requires covered entities to maintain and periodically distribute a notice of privacy practices. The new rules require several additions to the notice. If you post your notice on a website that is maintained for your group health plan, the revised notice must be posted by September 23, 2013, and you must include the revised notice in the next annual mailing to plan participants (e.g., open enrollment mailing). If you do not post your notice on a website that is maintained for your group health plan, you must provide the revised notice to plan participants by November 22, 2013.
  • Policies and Procedures: HIPAA requires covered entities to maintain and implement policies and procedures that are designed to comply with the privacy and security rules. The new rules require several modifications to your HIPAA policies and procedures, including with respect to breach notification. While the new rules do not provide an explicit deadline for updating your policies and procedures, the best practice is to update your policies and procedures prior to the September 23, 2013 operational compliance effective date.
  • Workforce Training: HIPAA requires covered entities to provide training on the HIPAA policies and procedures for all members of their health plan workforce. Since the new rules will require several material modifications to your HIPAA policies and procedures, you are required to timely re-train health plan workforce members on the revised HIPAA policies and procedures. Emphasis should be placed on training workforce members to identify and report breaches of unsecured protected health information in a timely manner. Bass, Berry & Sims employee benefits attorneys are available to provide on-site or remote HIPAA training to your health plan workforce members. 
  • Business Associate Agreements: HIPAA requires covered entities to enter into a HIPAA-compliant business associate agreement with each of the health plan's business associates (i.e., an entity that performs services for the health plan and has access to protected health information). You will need to amend or restate your business associate agreements to reflect the new rules. HHS provided transition relief that delays the deadline to amend an existing business associate agreement for up to one year beyond the general operational compliance effective date of September 23, 2013, provided (i) the agreement was effective prior to January 25, 2013 and compliant with the HIPAA rules that were in effect as of that date, and (ii) the agreement will not be modified or renewed from March 26, 2013 until September 23, 2013. An existing business associate agreement that meets these requirements will be deemed compliant with the new rules until the earlier of the date the agreement is renewed or modified, or September 22, 2014.

Now is the time for employers to refocus on HIPAA and prepare for an audit by HHS. As required by the HITECH Act, the new rules strengthen HIPAA's enforcement provisions, including through increased civil penalties for violations. In addition, HHS completed a 12-month HIPAA audit pilot program in 2012 that is expected to be the precursor to a permanent audit program.

The Employee Benefits Practice Group at Bass, Berry & Sims will be hosting a webinar on the new HIPAA rules in June. During the webinar, the firm's employee benefits attorneys will provide listeners with a summary of the new rules as they pertain to employer-sponsored group health plans and an action plan that employers can use to comply with the rules. Stay tuned for additional details regarding the webinar.

Related Professionals

Related Services


Visiting, or interacting with, this website does not constitute an attorney-client relationship. Although we are always interested in hearing from visitors to our website, we cannot accept representation on a new matter from either existing clients or new clients until we know that we do not have a conflict of interest that would prevent us from doing so. Therefore, please do not send us any information about any new matter that may involve a potential legal representation until we have confirmed that a conflict of interest does not exist and we have expressly agreed in writing to the representation. Until there is such an agreement, we will not be deemed to have given you any advice, any information you send may not be deemed privileged and confidential, and we may be able to represent adverse parties.