According to the Resolution Agreement published by HHS, Office of Civil Rights that is charged with enforcing the HIPAA Privacy Rule standards, (45 CFR Part 160 and Part 164, Subparts A and E) as well as the security Rule (45 CFR Part 160 and Part 164 Subparts A and C) and the Breach Notification Rule (45 FR Part 160 and Part 164 Subparts A and D). Following a Breach Report, OCR investigated a ransomware attack involving PHI for over 14,000 patients which revealed GRBH’s noncompliance with both the Privacy and the Security Rules. The investigation indicated the following potential violations:

  • Failure to comply with the requirement to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to confidentiality and integrity of all ePHI (45 CFR §164.308(a)(l)(ii)(a))
  • Failure to comply with requirement to implement security measures sufficient to reduce risks and vulnerabilities to ePHI to reasonable and appropriate level. (45 CFR §164.308(a)(l)(ii)(B))
  • Failure to comply with requirement to implement policies and procedures to regularly review records of information system activity, such as incident tracking reports and access reports (45 CFR §164.308(a)(1)(ii)(A))
  • Failure to comply with the requirement to not use or disclose PHI except as permitted by the Privacy Rule. (45 CFR §164.502(a)).

The Resolution Agreement with Green Ridge Behavioral Health (GRBH) in late October, 2023, is not an admission or concession but is intended to resolve the investigation and any potential HIPAA violations and avoid further burden and expense of investigation and formal proceedings, according to the terms of the document. GRBH agreed to pay $40,000 in a lump sum payment within 3 days of the effective date of the agreement and agreed to comply with terms of a Corrective Action Plan (CAP) attached to the Agreement. The Agreement is binding on successors. Breach of the CAP, and failure to cure as set for the in the Cap, constitutes breach of the Resolution Agreement. Green Ridge will also conduct an audit of third-party vendors to ensure that business associate agreements are in place, and report to OCR if workforce members fail to comply with HIPAA.

The outcome of this investigation underscores the need for all behavioral health providers to give time and attention to compliance activities to minimize the risks to their organizations particularly in light of the number of breaches healthcare institutions and other providers are currently experiencing.

I have spoken with so many of my clients and colleagues this summer about the HIE statutes, rules and the machinations of the legislature. According to the proposed rules all licensed providers were required to show a good faith effort to join the MyHealth Access Network, the state’s designated Health Information Exchange by July 1, 2023. However, at issue has been a provision allowing exemption of some providers which was less that clear and hotly contested particularly by behavioral health providers. The Governor disapproved those rules on June 23, 2023.

OHCA drafted revised OKSHINE emergency rules, which were approved on July 17, 2023. These emergency rules now establish that, instead of applying for exemption from OKSHINE transmission and utilization requirements, “[a]ll providers that register [for] an exemption shall be granted such exemption and shall not be subject to pay subscription fees and/or connection fees.” Therefore, any healthcare providers who desire OKSHINE exemption status will automatically receive such an exemption after completing OHCA’s OKSHINE Exemption Registration Form. The form may be accessed at this link.

OHCA staff will review submitted forms, and then notify those providers of their OKSHINE exemption status. According to the language of the rule, “[t]he exemption will automatically renew annually unless the provider withdraws their exemption and elects to participate.”

The federal government has declared that the COVID-19 Public Health Emergency (PHE) expires on 5/11/23Many things will occur on that day which I will endeavor to write about in the coming daysI have many clients and colleagues concerned with rules governing telehealth, so I will focus in my first posting for HLO on what may happen to the rules for tele-prescribing controlled substances post-PHEThe DEA and HHS jointly proposed rules early in 2023, largely characterized by institutional providers as burdensome and hindering access to care. The sponsoring agencies interpreted the responses to be overwhelmingly in opposition to the proposed rules, and so the proposed rules were abandoned.  The Ryan Haight Act of 2008, established the requirement that the practitioner prescribing controlled substances via the internet must have conducted at least one in-person medical evaluation of the patient, but the option the statute provided of a special registration requirement for telehealth-limited prescribers was also dismissed as too limitedDEA and HHS have now offered a Temporary Rule to the Office of Management and Budget (OMB) which was available online at on 5/9/23It seems that the agencies heard and acted upon the demand for continued flexibility for these providers and their patients’ needs. That rule provides that “[t]he full set of telemedicine flexibilities regarding prescription of controlled medications as were in place during the COVID-19 PHE will remain in place through November 11, 2023.”  In addition, a one-year grace period is established for any practitioner-patient telemedicine relationships established on or before 11/11/23 preserving the “full set of telemedicine flexibilities” in place during the COVID PHE. DEA is evaluating comments and preparing for implementation of final regulations.  The temporary rule, in effect until 11/11/24, adds new 21 C.F.R. 1307.41 and 42 C.F.R. 12.1. 

Final Rules have been issued for both the Stark Law (“Stark”) and the Anti-Kickback Statute (“AKS”).  Healthcare providers and their counsel have been awaiting these new rules for some time now.  In the days ahead, Phillips Murrah healthcare counsel will be studying the 627 pages of the Stark Final Rules and the 1,000 pages of the AKS Final Rules in order to advise our clients with regard to these changes.


The Final Rules for Stark establish new and permanent exceptions for value-based arrangements which will apply broadly to care provided for all patients and not just Medicare patients.  Stark will continue to act to limit overutilization of services, fraud and other abuse in the healthcare industry but will offer increased flexibility for current strategies and activities to encourage value-based arrangements, coordination and improvement of care which are both reasonable and beneficial to patients.


The Final Rule includes seven new safe harbors and modifications of four existing safe harbors.  In addition, there is a new exception for Civil Monetary Penalties Act for Beneficiary Inducements.  Of interest to counsel for both physicians and hospitals is the Final Rule’s clarification of Fair Market (“FMV”) as related to physician compensation.  FMV has been a continued troublesome of scrutiny and debate by all participants in the healthcare industry.  Also significant for many healthcare clients are the modifications and clarification of provisions related to cyber security and digital technology.

The following summary of the Oklahoma Johnson & Johnson opioid decision is also published at

The decision in the non-jury trial, Oklahoma ex rel. Mike Hunter, Attorney General of Oklahoma v. Purdue Pharma L.P. et al was filed on August 26, 2019.  The trial, which lasted for thirty-three days, focused on the State’s sole claim against the defendants for public nuisance under state statute, during which forty-two witnesses were called by the parties and 874 exhibits were submitted into evidence, along with 225 additional court exhibits.

In the first such decision in the United States among a plethora of cases filed across the nation, the Court held that the State had met its burden of proof that the defendant, Johnson & Johnson, was the cause-in-fact of the extensively described injuries and that the harm suffered was the kind recognized by the state law. Purdue and Teva Pharmaceuticals settled prior to trial. The court found no intervening causes to defeat a finding of direct and proximate cause.

Testimony ran the gamut of describing the development of opioids in the 1950s and research and development that occurred from the 1990s until recent years, and it focused on what the Court considered intentionally misleading marketing information and activities. It is noteworthy that the Court included in its findings that there was no opioid epidemic in Oklahoma through the mid-1990s, according to the state Commissioner of Mental Health.

The Court found that “Defendants, acting in concert with others, embarked on a major campaign in which they used branded and unbranded marketing to disseminate the messages that pain was being undertreated and ‘there was a low risk of abuse and a low danger’…designed to reach Oklahoma doctors through multiple means and at multiple times over the course of the doctor’s professional education and career” in the state.  The defendants were found to have deceptively marketed the concepts of “undertreatment” and “pseudoaddiction” in the effort to avoid the “addiction ditch,” to increase the volume of prescriptions and increase use by state physicians.

An Abatement Plan was relied upon to represent the cost of addiction treatment included in the: assessment and treatment at all levels for addicted individuals; supplementary treatment; public medication and disposal programs; screening; Brief Intervention and Referral to Treatment (SBIRT) for all primary care practices and emergency departments; universal screening; pain management program for state Medicaid members; education; naloxone treatment and education; law enforcement and provider licensure agency investigation activities; and perinatal preventive services.

The total yearly costs for remediation as described to the Court for 2019 is $572,102,028.  While State witnesses testified that the abatement Plan will require twenty years, the Court found that “…the State did not present sufficient evidence of the amount of time and costs necessary, beyond year one, to abate the Opioid Crisis.” Oklahoma ex rel. v. Purdue Pharma L.P. et al at 41.

In a news release, counsel for Johnson & Johnson stated that it is confident that it has strong grounds for an appeal of Oklahoma’s opioid decision. This decision is expected to influence the settlement talks taking place in Ohio currently related to thousands of pending lawsuits against twenty-two opioid manufacturers and distributors, including Purdue.