Close X
Attorney Spotlight

How did Mike DeAgro's experience co-founding a nonprofit advocacy organization lead to a career in the legal field? Find out more>


Close X


Search our Experience

Experience Spotlight

Envision to Sell to KKR for $9.9 Billion

We represented Envision Healthcare Corporation (NYSE: EVHC) in its definitive agreement to sell to KKR in an all-cash transaction for $9.9 billion, including debt. KKR will pay $46 per Envision share in cash to buy the company, marking a 32 percent premium to the company's volume-weighted average share price from November 1, when Envision announced it was considering its options. The transaction is expected to close the fourth quarter of 2018. Read more

Envision Healthcare

Close X

Thought Leadership

Enter your search terms in the relevant box(es) below to search for specific Thought Leadership.
To see a recent listing of Thought Leadership, click the blue Search button below.

Thought Leadership Spotlight

Six Things to Know Before Buying a Physician Practice spotlight

Dermatology, ophthalmology, radiology, urology…the list goes on. Yet, in any physician practice management transaction, there are six key considerations that apply and, if not carefully managed, can derail a transaction. Download the 6 Things to Know Before Buying a Physician Practice to keep your physician practice management transactions on track.

Click here to download the guide.

New HIPAA Privacy and Security Rules Impact Employer-Sponsored Group Health Plans


April 19, 2013

Earlier this year, the Department of Health and Human Services ("HHS") issued the long-awaited final regulations (regulations available here; Healthcare Practice Group alert available here) modifying the Health Insurance Portability and Accountability Act's privacy and security rules (collectively "HIPAA"). The modifications included rules pursuant to the Health Information Technology for Economic and Clinical Health Act ("HITECH Act") and the Genetic Information Nondiscrimination Act of 2008 ("GINA"). In general, HIPAA covered entities must comply with the new rules in operation beginning September 23, 2013.

Below is a list of action items for employers that sponsor group health plans that are considered HIPAA covered entities, including self-insured group health plans (which include most healthcare flexible spending accounts and health reimbursement arrangements).

  • Notice of Privacy Practices: HIPAA requires covered entities to maintain and periodically distribute a notice of privacy practices. The new rules require several additions to the notice. If you post your notice on a website that is maintained for your group health plan, the revised notice must be posted by September 23, 2013, and you must include the revised notice in the next annual mailing to plan participants (e.g., open enrollment mailing). If you do not post your notice on a website that is maintained for your group health plan, you must provide the revised notice to plan participants by November 22, 2013.
  • Policies and Procedures: HIPAA requires covered entities to maintain and implement policies and procedures that are designed to comply with the privacy and security rules. The new rules require several modifications to your HIPAA policies and procedures, including with respect to breach notification. While the new rules do not provide an explicit deadline for updating your policies and procedures, the best practice is to update your policies and procedures prior to the September 23, 2013 operational compliance effective date.
  • Workforce Training: HIPAA requires covered entities to provide training on the HIPAA policies and procedures for all members of their health plan workforce. Since the new rules will require several material modifications to your HIPAA policies and procedures, you are required to timely re-train health plan workforce members on the revised HIPAA policies and procedures. Emphasis should be placed on training workforce members to identify and report breaches of unsecured protected health information in a timely manner. Bass, Berry & Sims employee benefits attorneys are available to provide on-site or remote HIPAA training to your health plan workforce members. 
  • Business Associate Agreements: HIPAA requires covered entities to enter into a HIPAA-compliant business associate agreement with each of the health plan's business associates (i.e., an entity that performs services for the health plan and has access to protected health information). You will need to amend or restate your business associate agreements to reflect the new rules. HHS provided transition relief that delays the deadline to amend an existing business associate agreement for up to one year beyond the general operational compliance effective date of September 23, 2013, provided (i) the agreement was effective prior to January 25, 2013 and compliant with the HIPAA rules that were in effect as of that date, and (ii) the agreement will not be modified or renewed from March 26, 2013 until September 23, 2013. An existing business associate agreement that meets these requirements will be deemed compliant with the new rules until the earlier of the date the agreement is renewed or modified, or September 22, 2014.

Now is the time for employers to refocus on HIPAA and prepare for an audit by HHS. As required by the HITECH Act, the new rules strengthen HIPAA's enforcement provisions, including through increased civil penalties for violations. In addition, HHS completed a 12-month HIPAA audit pilot program in 2012 that is expected to be the precursor to a permanent audit program.

The Employee Benefits Practice Group at Bass, Berry & Sims will be hosting a webinar on the new HIPAA rules in June. During the webinar, the firm's employee benefits attorneys will provide listeners with a summary of the new rules as they pertain to employer-sponsored group health plans and an action plan that employers can use to comply with the rules. Stay tuned for additional details regarding the webinar.

Related Professionals

Related Services


Visiting, or interacting with, this website does not constitute an attorney-client relationship. Although we are always interested in hearing from visitors to our website, we cannot accept representation on a new matter from either existing clients or new clients until we know that we do not have a conflict of interest that would prevent us from doing so. Therefore, please do not send us any information about any new matter that may involve a potential legal representation until we have confirmed that a conflict of interest does not exist and we have expressly agreed in writing to the representation. Until there is such an agreement, we will not be deemed to have given you any advice, any information you send may not be deemed privileged and confidential, and we may be able to represent adverse parties.