Close X
Attorney Spotlight

What is Shannon Wiley looking forward to at this year's Asembia Specialty Pharmacy Summit? Find out more>


Close X


Search our Experience

Experience Spotlight

Primary Care Providers Win Challenge of CMS Interpretation of Enhanced Payment Law

With the help and support of the Tennessee Medical Association, 21 Tennessee physicians of underserved communities joined together and retained Bass, Berry & Sims to file suit against the Centers for Medicare & Medicaid Services to stop improper collection efforts. Our team, led by David King, was successful in halting efforts to recoup TennCare payments that were used legitimately to expand services in communities that needed them. Read more

Tennessee Medical Association & Bass, Berry & Sims

Close X

Thought Leadership

Enter your search terms in the relevant box(es) below to search for specific Thought Leadership.
To see a recent listing of Thought Leadership, click the blue Search button below.

Thought Leadership Spotlight

Download the Healthcare Fraud & Abuse Review 2017, authored by Bass, Berry & Sims

The Healthcare Fraud & Abuse Review 2017 details all healthcare-related False Claims Act settlements from last year, organized by particular sectors of the healthcare industry. In addition to reviewing all healthcare fraud-related settlements, the Review includes updates on enforcement-related litigation involving the Stark Law and Anti-Kickback Statute, and looks at the continued implications from the government's focus on enforcement efforts involving individual actors in connection with civil and criminal healthcare fraud investigations.

Click here to download the Review.

Governor Signs Amendment to Tennessee Data Breach Notification Law

Firm Publication


May 24, 2017

During the recent 110th Regular Session of the Tennessee General Assembly, Governor Bill Haslam signed into law an amendment to the Tennessee Identity Theft Deterrence Act of 1999.1

The previous version of the law required any person or business that conducts business in the state of Tennessee and that owns or licenses computerized personal information of Tennessee residents to notify such residents whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person. These persons or businesses were required to notify affected Tennessee residents within 45 days following discovery or notification of a breach, provided that a law enforcement agency may delay this notification requirement if it determines that notification would impede a criminal investigation.

This amendment, which unanimously passed both chambers of the Tennessee General Assembly:

  • Clarifies that notification to affected Tennessee residents of a data breach must be made within 45 days following a determination by the applicable law enforcement agency that notification will not compromise the investigation;
  • Adds exceptions to the definition of "personal information" for (i) information that has been redacted or otherwise made unusable, and (ii) encrypted information, provided that the encryption key for such information has not been acquired by an unauthorized person; and
  • Changes the definition of an "unauthorized person" from "an employee of the information holder who is discovered by the information holder to have obtained personal information and intentionally used it for an unlawful purpose" to "an employee of the information holder who is discovered by the information holder to have obtained personal information with the intent to use it for an unlawful purpose."

The exception of encrypted information from the definition of protected personal information is consistent with similar breach notification statutes in other states and is a welcome confirmation of the scope of the statute. However, the change to the definition of "unauthorized person", for example, raises new uncertainties not previously present.

The revised definition of "unauthorized person" appears to obligate employers to provide notification when an employee obtains personal information and intends to use it unlawfully, but has not yet done so. This raises the issue of whether the act of obtaining, but not using, the personal information could alone constitute a "material" compromise of the "security, confidentiality, or integrity of the personal information" and thereby trigger a breach notification obligation. If the latter is true, this change in the definition of "unauthorized person" may greatly expand required notifications under this law.

Bass, Berry & Sims will continue to monitor and provide updates as we track privacy legislation and regulations. If you have questions regarding the potential effects of this legislation or any other privacy concerns relating to your organization, please contact an attorney on our Privacy & Data Security team.

12017 Tenn. Pub. Acts 91.

Related Professionals

Related Services


Visiting, or interacting with, this website does not constitute an attorney-client relationship. Although we are always interested in hearing from visitors to our website, we cannot accept representation on a new matter from either existing clients or new clients until we know that we do not have a conflict of interest that would prevent us from doing so. Therefore, please do not send us any information about any new matter that may involve a potential legal representation until we have confirmed that a conflict of interest does not exist and we have expressly agreed in writing to the representation. Until there is such an agreement, we will not be deemed to have given you any advice, any information you send may not be deemed privileged and confidential, and we may be able to represent adverse parties.