Close X

Attorney Spotlight

How does Eli Richardson's past work with the federal government inform his client interactions? Find out more>

Search

Close X

Experience

Search our Experience

Experience Spotlight

In June 2016, AmSurg Corp. and Envision Healthcare Holdings, Inc. (Envision) announced they have signed a definitive merger agreement pursuant to which the companies will combine in an all-stock transaction. Upon completion of the merger, which is expected to be tax-free to the shareholders of both organizations, the combined company will be named Envision Healthcare Corporation and co-headquartered in Nashville, Tennessee and Greenwood Village, Colorado. The company's common stock is expected to trade on the New York Stock Exchange under the ticker symbol: EVHC. Bass, Berry & Sims served as lead counsel on the transaction, led by Jim Jenkins. Read more.

AmSurg logo


Close X

Thought Leadership

Enter your search terms in the relevant box(es) below to search for specific Thought Leadership.
To see a recent listing of Thought Leadership, click the blue Search button below.

Thought Leadership Spotlight

Inside the FCA blogInside the FCA blog features ongoing updates related to the False Claims Act (FCA), including insight on the latest legal decisions, regulatory developments and FCA settlements. The blog provides timely updates for corporate boards, directors, compliance managers, general counsel and other parties interested in the organizational impact and legal developments stemming from issues potentially giving rise to FCA liability.

Read More >

New HIPAA Privacy and Security Rules Impact Employer-Sponsored Group Health Plans

Publications

April 19, 2013

Earlier this year, the Department of Health and Human Services ("HHS") issued the long-awaited final regulations (regulations available here; Healthcare Practice Group alert available here) modifying the Health Insurance Portability and Accountability Act's privacy and security rules (collectively "HIPAA"). The modifications included rules pursuant to the Health Information Technology for Economic and Clinical Health Act ("HITECH Act") and the Genetic Information Nondiscrimination Act of 2008 ("GINA"). In general, HIPAA covered entities must comply with the new rules in operation beginning September 23, 2013.

Below is a list of action items for employers that sponsor group health plans that are considered HIPAA covered entities, including self-insured group health plans (which include most healthcare flexible spending accounts and health reimbursement arrangements).

  • Notice of Privacy Practices: HIPAA requires covered entities to maintain and periodically distribute a notice of privacy practices. The new rules require several additions to the notice. If you post your notice on a website that is maintained for your group health plan, the revised notice must be posted by September 23, 2013, and you must include the revised notice in the next annual mailing to plan participants (e.g., open enrollment mailing). If you do not post your notice on a website that is maintained for your group health plan, you must provide the revised notice to plan participants by November 22, 2013.
  • Policies and Procedures: HIPAA requires covered entities to maintain and implement policies and procedures that are designed to comply with the privacy and security rules. The new rules require several modifications to your HIPAA policies and procedures, including with respect to breach notification. While the new rules do not provide an explicit deadline for updating your policies and procedures, the best practice is to update your policies and procedures prior to the September 23, 2013 operational compliance effective date.
  • Workforce Training: HIPAA requires covered entities to provide training on the HIPAA policies and procedures for all members of their health plan workforce. Since the new rules will require several material modifications to your HIPAA policies and procedures, you are required to timely re-train health plan workforce members on the revised HIPAA policies and procedures. Emphasis should be placed on training workforce members to identify and report breaches of unsecured protected health information in a timely manner. Bass, Berry & Sims employee benefits attorneys are available to provide on-site or remote HIPAA training to your health plan workforce members. 
  • Business Associate Agreements: HIPAA requires covered entities to enter into a HIPAA-compliant business associate agreement with each of the health plan's business associates (i.e., an entity that performs services for the health plan and has access to protected health information). You will need to amend or restate your business associate agreements to reflect the new rules. HHS provided transition relief that delays the deadline to amend an existing business associate agreement for up to one year beyond the general operational compliance effective date of September 23, 2013, provided (i) the agreement was effective prior to January 25, 2013 and compliant with the HIPAA rules that were in effect as of that date, and (ii) the agreement will not be modified or renewed from March 26, 2013 until September 23, 2013. An existing business associate agreement that meets these requirements will be deemed compliant with the new rules until the earlier of the date the agreement is renewed or modified, or September 22, 2014.

Now is the time for employers to refocus on HIPAA and prepare for an audit by HHS. As required by the HITECH Act, the new rules strengthen HIPAA's enforcement provisions, including through increased civil penalties for violations. In addition, HHS completed a 12-month HIPAA audit pilot program in 2012 that is expected to be the precursor to a permanent audit program.

The Employee Benefits Practice Group at Bass, Berry & Sims will be hosting a webinar on the new HIPAA rules in June. During the webinar, the firm's employee benefits attorneys will provide listeners with a summary of the new rules as they pertain to employer-sponsored group health plans and an action plan that employers can use to comply with the rules. Stay tuned for additional details regarding the webinar.


Related Professionals

Related Services

Notice

Visiting, or interacting with, this website does not constitute an attorney-client relationship. Although we are always interested in hearing from visitors to our website, we cannot accept representation on a new matter from either existing clients or new clients until we know that we do not have a conflict of interest that would prevent us from doing so. Therefore, please do not send us any information about any new matter that may involve a potential legal representation until we have confirmed that a conflict of interest does not exist and we have expressly agreed in writing to the representation. Until there is such an agreement, we will not be deemed to have given you any advice, any information you send may not be deemed privileged and confidential, and we may be able to represent adverse parties.