Close X
Attorney Spotlight

What television show influenced Chad Jarboe's decision to pursue a career in the legal field? Find out more>


Close X


Search our Experience

Experience Spotlight

Primary Care Providers Win Challenge of CMS Interpretation of Enhanced Payment Law

With the help and support of the Tennessee Medical Association, 21 Tennessee physicians of underserved communities joined together and retained Bass, Berry & Sims to file suit against the Centers for Medicare & Medicaid Services to stop improper collection efforts. Our team, led by David King, was successful in halting efforts to recoup TennCare payments that were used legitimately to expand services in communities that needed them. Read more

Tennessee Medical Association & Bass, Berry & Sims

Close X

Thought Leadership

Enter your search terms in the relevant box(es) below to search for specific Thought Leadership.
To see a recent listing of Thought Leadership, click the blue Search button below.

Thought Leadership Spotlight

Healthcare Transactions: Year in Review 2018Last year, CVS Health Corp. (NYSE: CVS) announced it would purchase health insurer Aetna Inc. (NYSE: AET) for $67.5 billion, a transaction that would be one of the biggest healthcare mergers in the past decade. The transaction raises an intriguing question: is this the beginning of a transformational shift in healthcare?

Recently, members of our healthcare group authored the Healthcare Transactions: Year in Review outlining 2017 M&A activity and drivers in the following hot healthcare sectors:

• Managed Care
• Hospitals
• Post-Acute Care—Home Health & Hospice
• Ambulatory Surgery Centers (ASCs)
• Healthcare Information Technology (HIT)
• Behavioral Health
• Physician Practice Management

Read now

New HIPAA Privacy and Security Rules Impact Employer-Sponsored Group Health Plans


April 19, 2013

Earlier this year, the Department of Health and Human Services ("HHS") issued the long-awaited final regulations (regulations available here; Healthcare Practice Group alert available here) modifying the Health Insurance Portability and Accountability Act's privacy and security rules (collectively "HIPAA"). The modifications included rules pursuant to the Health Information Technology for Economic and Clinical Health Act ("HITECH Act") and the Genetic Information Nondiscrimination Act of 2008 ("GINA"). In general, HIPAA covered entities must comply with the new rules in operation beginning September 23, 2013.

Below is a list of action items for employers that sponsor group health plans that are considered HIPAA covered entities, including self-insured group health plans (which include most healthcare flexible spending accounts and health reimbursement arrangements).

  • Notice of Privacy Practices: HIPAA requires covered entities to maintain and periodically distribute a notice of privacy practices. The new rules require several additions to the notice. If you post your notice on a website that is maintained for your group health plan, the revised notice must be posted by September 23, 2013, and you must include the revised notice in the next annual mailing to plan participants (e.g., open enrollment mailing). If you do not post your notice on a website that is maintained for your group health plan, you must provide the revised notice to plan participants by November 22, 2013.
  • Policies and Procedures: HIPAA requires covered entities to maintain and implement policies and procedures that are designed to comply with the privacy and security rules. The new rules require several modifications to your HIPAA policies and procedures, including with respect to breach notification. While the new rules do not provide an explicit deadline for updating your policies and procedures, the best practice is to update your policies and procedures prior to the September 23, 2013 operational compliance effective date.
  • Workforce Training: HIPAA requires covered entities to provide training on the HIPAA policies and procedures for all members of their health plan workforce. Since the new rules will require several material modifications to your HIPAA policies and procedures, you are required to timely re-train health plan workforce members on the revised HIPAA policies and procedures. Emphasis should be placed on training workforce members to identify and report breaches of unsecured protected health information in a timely manner. Bass, Berry & Sims employee benefits attorneys are available to provide on-site or remote HIPAA training to your health plan workforce members. 
  • Business Associate Agreements: HIPAA requires covered entities to enter into a HIPAA-compliant business associate agreement with each of the health plan's business associates (i.e., an entity that performs services for the health plan and has access to protected health information). You will need to amend or restate your business associate agreements to reflect the new rules. HHS provided transition relief that delays the deadline to amend an existing business associate agreement for up to one year beyond the general operational compliance effective date of September 23, 2013, provided (i) the agreement was effective prior to January 25, 2013 and compliant with the HIPAA rules that were in effect as of that date, and (ii) the agreement will not be modified or renewed from March 26, 2013 until September 23, 2013. An existing business associate agreement that meets these requirements will be deemed compliant with the new rules until the earlier of the date the agreement is renewed or modified, or September 22, 2014.

Now is the time for employers to refocus on HIPAA and prepare for an audit by HHS. As required by the HITECH Act, the new rules strengthen HIPAA's enforcement provisions, including through increased civil penalties for violations. In addition, HHS completed a 12-month HIPAA audit pilot program in 2012 that is expected to be the precursor to a permanent audit program.

The Employee Benefits Practice Group at Bass, Berry & Sims will be hosting a webinar on the new HIPAA rules in June. During the webinar, the firm's employee benefits attorneys will provide listeners with a summary of the new rules as they pertain to employer-sponsored group health plans and an action plan that employers can use to comply with the rules. Stay tuned for additional details regarding the webinar.

Related Professionals

Related Services


Visiting, or interacting with, this website does not constitute an attorney-client relationship. Although we are always interested in hearing from visitors to our website, we cannot accept representation on a new matter from either existing clients or new clients until we know that we do not have a conflict of interest that would prevent us from doing so. Therefore, please do not send us any information about any new matter that may involve a potential legal representation until we have confirmed that a conflict of interest does not exist and we have expressly agreed in writing to the representation. Until there is such an agreement, we will not be deemed to have given you any advice, any information you send may not be deemed privileged and confidential, and we may be able to represent adverse parties.