The Digital Chamber Publishes US Blockchain Roadmap
The Digital Chamber (TDC), a trade association focused on advancing blockchain adoption and regulatory clarity, has unveiled its U.S. Blockchain Roadmap, a plan aimed at enhancing America’s leadership in blockchain technology. The roadmap emphasizes blockchain’s potential in reshaping financial systems, global trade, and digital infrastructure. It argues that blockchain development could impact the United States’ economic growth, financial sovereignty, and technological competitiveness.
The roadmap outlines several priority areas and policy recommendations. These include integrating digital assets into the nation’s financial infrastructure, protecting decentralized networks, and establishing clear regulatory frameworks. It also examines Bitcoin mining’s potential role in strengthening U.S. energy security and recommends modernizing the banking system to adapt to the evolving digital economy. Additionally, the roadmap explores blockchain’s potential applications in government operations and fiscal oversight.
Extinction of the National Institute for Transparency, Access to Information, and Personal Data Protection
As we previously reported in an earlier newsletter, in accordance with the recent constitutional reform dated November 28, 2024, the extinction of seven autonomous agencies was decreed, including the National Institute for Transparency, Access to Information, and Personal Data Protection (INAI).
On Thursday, February 20, 2025, a Decree was published in the Official Gazette, enacting a new Federal Law on the Protection of Personal Data Held by Private Parties, as well as a new General Law on the Protection of Personal Data Held by Obligated Subjects.
These two new laws came into force on March 21, 2025, formalizing the extinction of INAI.
After reviewing these laws, it appears that the personal data protection framework—both for data held by private entities and by public entities of the Mexican Government—remains unchanged. There are no modifications to the rights of data subjects or to the obligations of those who process personal data.
Likewise, no changes have been observed in the legal framework for transparency and access to information.
The main change associated with these new laws is that all functions and powers previously held by INAI have now been transferred to the newly created Ministry of Anti-Corruption and Good Governance.
Another notable change is that the resolutions issued by this new Ministry may now be challenged through an amparo lawsuit before specialized courts in the field. Previously, INAI’s resolutions were challenged before the Federal Court of Administrative Justice.
As we previously warned, the elimination of autonomous agencies that oversee the actions of various federal government entities does not appear positive in a democratic state. Additionally, the concentration of INAI’s former powers—along with oversight and auditing functions—within a single Ministry does not seem advisable and could impact the continuity and effectiveness of the National Transparency Platform, as well as the protection of personal data, among other issues.
It is important to note that all pending matters that were unresolved by INAI will now be handled by the Secretariat of Anti-Corruption and Good Governance. This will likely result in delays in resolution times and may lead to discrepancies in the criteria applied to resolve cases.
Plaintiffs Try Another Bite at the Apple… and Google Too!
In a recent post about legal issues with the social casino sweepstakes model, we indicated that a recent RICO lawsuit against a social casino sweepstakes model, which also named Apple and Google, was dismissed voluntarily by the plaintiff. Plaintiffs are already taking another bite at the Apple.
A new lawsuit was filed against Apple and Google by lead Plaintiff Bargo and two co-plaintiffs. The new complaint alleges that the lawsuit is about “patently illegal gambling software being distributed to the cell phones, desktop computers and other personal electronic devices of individuals throughout New Jersey, New York and beyond, by an unlawful enterprise that includes two of the most successful companies in the world.” This complaint does not name any of the social casino games operators.
Rather, it alleges that the named defendants “willingly assist, promote and profit from” allegedly illegal gambling by: (1) offering users access to the apps through their app stores; (2) taking a substantial percentage of consumer purchases of Game Coins, Sweeps Coins and other transactions within the apps; (3) processing allegedly illicit transactions between consumers and the Sweepstakes Casinos using their proprietary payment systems; and (4) by using targeted advertising to allegedly “shepherd the most vulnerable customers to the Sweepstakes Casinos’ websites and apps” facilitating an allegedly unlawful gambling enterprise.
The legal claims are made under the NJ gambling loss recovery statute, the New Jersey Consumer Fraud Act, Unjust Enrichment, New York’s gaming loss recovery statute, NY consumer protection laws, and the RICO laws.
MASSIVE NEW RISK FOR MARKETERS: Dobronski Nukes SelectQuote and the Whole TCPAWorld Has to Deal With the Fallout
So there’s this guy named Mark Dobronski.
Frequent commenter on TCPAWorld.
Aggressive repeat litigator who is not, at all, afraid to go it alone in TCPA cases and bring suits on his own behalf. He also raises novel and interesting issues.
Here’s one.
47 CFR 64.1601 provides that anyone engaging in telemarketing must transmit either a CPN or ANI, and the name of the telemarketer.
Dobronski alleged SelectQuote didn’t comply with this rule. So he sued.
But SelectQuote moved for summary judgment and won originally with the court determining the CFR provision was promulgated under section 227(e)–the Truth in Caller ID Act–that does not afford a private right of action.
Great, fine. Except one little problem– 64.1601 was promulgated before 227(e) was added to the TCPA.
Oops.
So this creates a mystery: Which section of the TCPA was the CFR section promulgated under?
SelectQuote’s attorneys argued it was pursuant to Section 227(d)–which proscribes technical requirements for prerecorded calls– but Dobronski countered the provisions of 64.1601 apply to all marketing calls, not just prerecorded calls.
As a result the Court defaulted to 227(c) as the statutory section that gave the FCC authority to promulgate the rule. This is so although the court conceded section 227(c) was not a perfect fit either.
So Dobronski just got a court to hold that the provisions of 64.1601 ARE enforceable pursuant to a private right of action.
Eesh.
That means telemarketers–looking at you lead generators–need to make sure either:
The name of the telemarketer is displayed on your caller ID; or
The name of the seller on behalf of which the telemarketing call is placed and the seller’s customer service telephone number.
Hope ya’ll are following along. Because this is a HUGE deal.
Btw– the CORRECT answer here is that the FCC EXCEEDED ITS AUTHORITY in creating 64.1601 as Congress had not yet given it the ability to regulate caller ID until 227(e) was passed. Ta da.
But SelectQuote’s lawyers (apparently) did not raise that argument. So here we are.
And, what a surprise– the lawyers who just got beat by a guy WITHOUT AN ATTORNEY are from, you guessed it!, #BIGLAW!!!
Hire big law. Expect big losses folks.
Luckily you can get out of the biglaw trap for less money but only for another 6 days!
Chat soon.
Case is: Dobronski v. SelectQuote 2025 WL 900439 (E.D. Mich March 25, 2025)
DEA Buprenorphine Rule Delayed to December 31, 2025
The U.S. Department of Health and Human Services (HHS) and the Drug Enforcement Administration (DEA) have postponed the effective date of the final rule regarding telemedicine prescribing of buprenorphine (the final buprenorphine rule) to December 31, 2025. In its final rule postponing the effective date, the DEA notes that it received 32 comments. Of those, 13 commenters requested the effective date be finalized as soon as possible, while three urged an additional delay. Eleven commenters raised concerns about the final buprenorphine rule itself. The DEA states that, because of these comments, it will further delay the effective date to further review any questions of fact, law, and policy the rules may raise.
A Brief History
On January 17, 2025, in anticipation of the change of administration, the DEA and HHS finalized and published the final buprenorphine rule, which establishes a permanent pathway for the telemedicine prescribing of buprenorphine for opioid use disorder (OUD). The final buprenorphine rule was set to take effect February 18, 2025. (See our prior blog “DEA Tightens Buprenorphine Telemedicine Prescribing Rules” which discusses the requirements of the final buprenorphine rule.) On January 20, 2025, the Trump administration issued the Regulatory Freeze Pending Review Presidential Memorandum authorizing HHS and the DEA to delay the effective date of the final buprenorphine rule until March 21, 2025. The delay was intended to allow time to review any questions of fact, law, and policy the rule may raise, as well as to open a comment period to gather input from interested parties. On February 14, 2025, in accordance with the Presidential Memorandum, HHS and the DEA announced this delay and review of the final buprenorphine rule. (See our prior blog “DEA Delays Final Buprenorphine Rule” about the first delayed effective date of the final buprenorphine rule.)
Make Your Voice Heard
HHS and the DEA are not accepting formal comments with this final rule. However, stakeholders with concerns about the final buprenorphine rule and its effective date are encouraged to share their feedback by contacting their local Congressperson or the White House.
What Comes Next
With the delay of the final buprenorphine rule, stakeholders can continue relying on the current set of telemedicine prescribing flexibilities through the end of 2025 without uncertainty about whether the obligations of the final buprenorphine final rule will apply and potentially supersede the flexibilities now that the dates are aligned. As a potential permanent solution for prescribing OUD treatment via telemedicine, two U.S. Senators reintroduced the Telehealth Response for E-Prescribing Addiction Therapy Services (TREATS) Act in March 2025, as bipartisan legislation. The TREATS Act amends the Controlled Substances Act to make the buprenorphine-related telemedicine prescribing flexibilities permanent. It was previously introduced in June 2020, February 2021, and November 2023, but in each instance, it did not progress out of Committee.
Although the TREATS Act is more favorable to stakeholders than the final buprenorphine rule because it does not include the additional obligations of the final buprenorphine rule, its history suggests it is unlikely to be signed into law. However, because the current DEA stance on the issue is still unclear, there remains a possibility that the TREATS Act could be finalized in place of the final buprenorphine rule. We will continue to monitor developments regarding the final buprenorphine rule and the TREATS Act.
Telehealth Cliff Averted, for Now (But September is Six Months Away)
The potential plunge off the telehealth cliff that we warned you about in our March 3, 2025, blog post has been averted, for now.
With the passage of the Continuing Resolution (CR) by the House and Senate, and the subsequent signing by the president, current telehealth flexibilities and Medicare coverage for the benefit will not expire on March 31. With funding established through the end of the fiscal year—September 30, 2025—the CR provides at least a brief extension of telehealth flexibilities for those, particularly in rural areas or with mobility problems, who have come to rely on telehealth for access to critical health care services since March 2020.
As we noted on March 3, COVID-19 shifted perceptions of telehealth in a way that is not likely to ever return to pre-2020 notions, despite the wrangling over extensions. Between April and June of 2020, nearly half of all Medicare beneficiaries had at least one virtual medical visit. The COVID-19 public health emergency officially ended in May 2023, but the Medicare telehealth flexibilities have been extended several times.
The Continuing Resolution: Telehealth
Section 2207 of the CR, “Extension of Certain Telehealth Flexibilities,” is substantively identical to Section 3207 of the American Relief Act of 2025 (which granted the 90-day extension for telehealth flexibilities through March 2025). The new Section 2207, with the September 30 date,
Removes geographic requirements and expands originating sites for telehealth services (including patients’ homes);
Expands the list of practitioners who are eligible to furnish telehealth services (includes all practitioners who are eligible to bill Medicare for covered services, such as physical and occupational therapists, speech pathologists, audiologists, marriage and family therapists, and mental health services);
Extends telehealth services to federally qualified health centers (FQHCs) and rural health clinics (RHCs), who may serve as distant site providers;
Delays the Medicare in-person requirements for mental health services furnished through telehealth and telecommunications technology, including FQHCs and RHCs;
Allows for the payment/furnishing of audio-only telehealth services;
Extending use of telehealth to conduct face-to-face encounter(s) prior to recertification of eligibility for hospice care; and
Granting program instruction authority, meaning that the secretary of the Department of Health and Human Services may implement the amendments made by this section through program instruction or otherwise.
Utilization and Costs
Immediately following the passage and signing of the CR, the Center for Connected Health Policy and the National Telehealth Policy Resource Center issued an article pointing out that recent Medicare utilization and spending findings actually support Medicare telehealth expansions—and do not in fact support discontinuing the extensions on the grounds of increased patient utilization or costs.
As these organizations noted, the University of Michigan’s Institute for Healthcare Policy and Innovation has concluded—with respect to outpatient utilization—that while mental health is a high driver of telehealth use, and primary care is a moderate one, telehealth did not cause a rise in total post-pandemic evaluation and management visits among Medicare fee-for-service beneficiaries when compared to prepandemic levels (orthopedic surgery, for example, has low telehealth use).
A second study by the Institute for Healthcare Policy and Innovation similarly lends support for permanent telehealth coverage when examining the question of costs. This study found that telehealth-initiated visits were actually associated with lower 30-day spending compared to in-person-initiated visits. Though return visit rates were higher for telehealth, lab testing and imaging rates were lower, suggesting that telehealth may reduce overall Medicare spending.
The Next Six Months?
The American Telemedicine Association and its advocacy arm, ATA Action, have called the March 14 vote on the CR “a big victory for telehealth, and a huge relief for patients and clinicians in every state and region of the United States, especially those in underserved communities.” Yet Kyle Zebley, ATA Action’s executive director, called the short extensions “an impediment to long-term certainty.”
Certain provisions that were left out of the year-end funding package of December 2024 remain excluded, such as
First dollar coverage of High Deductible Health Plans/Health Savings Accounts (HDHP-HSA) tax provision;
In-home cardiology rehabilitation flexibilities;
Virtual diabetes prevention program suppliers in Medicare Diabetes Prevention Program (MDPP); and
SPEAK Act which facilitates guidance and access to best practices on providing telehealth services accessibly.
Some organizations, such as the National Consortium of Telehealth Resource Centers, are already preparing for the next telehealth policy cliff on October 1, 2025. For now, as the Telehealth Policy website of the Department of Health and Human Services states, telehealth services can still be provided by all eligible Medicare providers through September 30, 2025. Until that date:
There are no geographic restrictions for originating sites for Medicare telehealth services, and Medicare patients can receive these services in their home.
An in-person visit within six months of an initial Medicare behavioral/mental telehealth service, and annually thereafter, is not required.
FQHCs and RHCs can serve as Medicare distant site providers for nonbehavioral/mental telehealth services.
Telehealth services in Medicare can be delivered using audio-only communication.
New York AG Settles with School App
The New York Attorney General recently entered into an assurance of discontinuance with Saturn Technologies, operator of an app used by high school and college students. The app was designed to be a social media platform that assists students with tracking their calendars and events. It also includes connection and social networking features and displayed students’ information to others. This included students’ location and club participation, among other things. According to the NYAG, the company had engaged in a series of acts that violated the state’s unfair and deceptive trade practice laws.
In particular, according to the attorney general, although the app said that it verified users before allowing them into these school communities, in fact anyone could join them. Based on the investigation done by the AG, the majority of users appeared not to have been verified or screened to block fraudulent accounts. In other words, accounts that were not those of students at the school. This was a concern, stressed the AG, as the unverified users had access to personal information of students. The AG argued that these actions constituted unfair and deceptive trade practices.
Finally, the AG alleged that the company did not make it clear that “student ambassadors” (who promoted the program) received rewards for marketing the program. As part of the settlement, the app maker has agreed to create and train employees and ambassadors on how to comply with the FTC’s Endorsements Guides by, among other things, disclosing their connection to the app maker when discussing their use of the app.
Putting It Into Practice: This case is a reminder to review apps directed to older minors not only from a COPPA perspective (which applies to those under 13). Here, the NYAG has alleged violations stemming from representations that the company made about the steps it would take to verify users. It also signals expectations in New York for protecting minors if offering a social media platform intended only for that market.
Listen to this post
FinCEN Issues Interim CTA Rule, U.S. Entities and Individuals Exempted From Reporting
Highlights
The Financial Crimes Enforcement Network (FinCEN) issued an interim final rule that changes requirements for reporting beneficial ownership information (BOI) under the Corporate Transparency Act
The rule narrows existing reporting requirements and requires only entities previously defined as “foreign reporting companies” to report BOI
FinCEN defines new exemptions from reporting for domestic entities and U.S. persons
The Financial Crimes Enforcement Network (FinCEN) recently issued a press release concerning the issuance of a new interim final rule that removes requirements for U.S. companies and persons to report beneficial ownership information (BOI) to FinCEN under the Corporate Transparency Act (CTA).
Consistent with the U.S. Department of the Treasury’s March 2, 2025, announcement, FinCEN is adopting the interim final rule to narrow BOI reporting requirements under the CTA to apply only to entities previously defined as “foreign reporting companies.”
In the new interim final rule, FinCEN revises the definition of “reporting company” to mean only those entities that are formed under the law of a foreign country and that have registered to do business in any U.S. state or tribal jurisdiction by filing a document with a secretary of state or similar office (such entities, previously defined as “foreign reporting companies”).
Additionally, FinCEN adds a new exemption available to entities formed in the U.S., previously defined as “domestic reporting companies.” Such entities are exempt from BOI reporting and do not have to report BOI to FinCEN, or update or correct BOI previously reported to FinCEN.
Thus, through the interim final rule, entities created in the United States – along with their beneficial owners – are exempted from requirements to report BOI to FinCEN.
Two Changes for Foreign Reporting Companies
With limited exceptions, the interim final rule does not change existing requirements for foreign reporting companies. However, the new interim rule does make two significant modifications to such requirements:
The interim rule extends the deadline to file initial BOI reports, and to update or correct previously filed BOI reports, to 30 calendar days from the date of its publication to give foreign reporting companies additional time to comply.
The interim final rule exempts foreign reporting companies from having to report the BOI of any U.S. persons who are beneficial owners of the foreign reporting company and exempts U.S. persons from having to provide such information to any foreign reporting company of which they are a beneficial owner.
Foreign entities that meet the new definition of a “reporting company” and do not qualify for an available exemption must report their BOI to FinCEN in compliance with these new deadlines.
Under the new interim rule, a reporting company is any entity that is:
a corporation, limited liability company, or other entity
formed under the law of a foreign country
registered to do business in any state or tribal jurisdiction by the filing of a document with a secretary of state or any similar office under the law of that state or Indian tribe
Reporting companies that registered to do business in the United States before the date of publication of the interim final rule must file BOI reports no later than 30 calendar days from the date of the new interim rule’s publication in the Federal Register. Reporting companies that register to do business in the United States on or after the date of publication of the interim final rule have 30 calendar days to file an initial BOI report after receiving notice their registration is effective.
FinCEN is accepting comments on this interim final rule until 60 days after it is published in the Federal Register and notes that it will assess the exemptions included in the subsequent final rule, as appropriate, in light of those comments. It intends to issue a final rule this year.
DEA Telemedicine Rules Further Delayed Until (Nearly) 2026
Those waiting anxiously for the rules expanding the prescribing of buprenorphine via telemedicine and the controlled substance prescribing for patients at the Department of Veterans Affairs to officially go into effect will now have to wait until New Year’s Eve—December 31, 2025.
Practitioners will, however, be allowed to continue prescribing via telemedicine without first having an in-person visit with the patient, owing to COVID-19 Telemedicine Flexibilities for Prescription of Controlled Medications, in effect through the same end-of-year date.
A seven-page document released by the Department of Justice’s Drug Enforcement Administration (DOJ, DEA) and Department of Health and Human Services (HHS)—scheduled to be published in the Federal Register on March 24—further delays the effective dates of the “Expansion of Buprenorphine Treatment via Telemedicine Encounter” Final Rule and the “Continuity of Care for Veterans Affairs Patients” Final Rule, both dated January 17, 2025 .
As we alerted you in February, these same two rules, collectively referred to as the “Buprenorphine and VA Telemedicine Prescribing Rules,” were originally scheduled to become final on February 18, 2025 but were delayed until March 21, 2025.
The first delay stemmed from the January 20, 2025, Presidential Memorandum titled “Regulatory Freeze Pending Review” (the “Freeze Memo”) that empowered federal departments and agencies to “consider postponing” the dates of rules published but not yet in effect.
After reviewing the 32 comments that the first delay generated, the DOJ now “wishes to further postpone the effective dates for the purpose of further reviewing any questions of fact, law, and policy that the rules may raise,” despite the fact that 13 of the 32 commenters wished to finalize the effective date of the two rules as soon as possible.
The Rules
The Buprenorphine and VA Telemedicine Prescribing Rules amended previous regulations to expand the circumstances under which:
practitioners registered by DEA are authorized to prescribe schedule III-V controlled substances approved by the FDA for treatment of opioid use disorder via a telemedicine encounter; and
VA practitioners acting within the scope of their VA employment are authorized to prescribe schedule II-IV controlled substances via telemedicine to a VA patient with whom they have not conducted an in-person medical evaluation, if another VA practitioner has, at any time, previously conducted an in-person medical evaluation of the VA patient, subject to conditions.
The EBG team continues to monitor any changes to the Buprenorphine and VA Telemedicine Prescribing Rules.
Additional Author: David Shillcutt
Understanding MSO Agreements: Key Considerations for Healthcare Providers
As healthcare providers look to streamline operations and improve efficiency, Management Service Organizations (“MSOs”) have become increasingly vital in helping medical practices, dental offices, and other healthcare entities manage non-clinical functions. MSOs typically provide administrative support, including billing, non-clinical human resources, IT management, and compliance services. These partnerships enable healthcare providers to focus on delivering quality patient care while MSOs handle the back-office tasks.
However, entering into an MSO agreement is a significant decision that requires careful legal consideration.
What is an MSO Agreement?
An MSO agreement is a contract between a healthcare provider (such as a physician practice) and an MSO. The MSO provides non-clinical services such as management, billing, non-clinical human resources, compliance, and office administration, allowing a healthcare practice to focus solely on patient care. By entering into this agreement, healthcare providers can streamline operations, reduce overhead, and enhance efficiency without sacrificing quality.
That said, MSO agreements are more than just administrative contract – they often carry substantial legal and regulatory implications. Ensuring that your MSO agreement is structured correctly is critical for your practice’s success and legal compliance.
Key Considerations in MSO Agreements
1. Compliance with Healthcare Regulations Healthcare is one of the most heavily regulated industries, and MSO agreements must comply with numerous federal and state laws, including the Stark Law, Anti-Kickback Statute, and other regulatory guidelines. MSOs must not provide services in a way that would violate these laws, particularly when they involve relationships between healthcare providers and third-party vendors.
Pro Tip: Always consult with legal counsel to ensure that the MSO agreement is structured to avoid conflicts of interest and potential regulatory violations.
2. Ownership and Control One of the central issues in any MSO agreement is determining who controls the business operations. While an MSO can offer significant operational support, healthcare providers must always maintain clinical autonomy. The agreement must clearly define the scope of services, ensuring that the MSO does not infringe upon the practice’s medical decision-making.
Pro Tip: Ensure that the agreement specifies that clinical decisions remain under the control of the healthcare providers and that MSOs only handle non-clinical functions.
3. Fee Structure and Compensation The financial terms of an MSO agreement are critical. The fee arrangement should
reflect fair market value and should be structured in a way that aligns with both parties’ interests. For example, the MSO might be compensated on a flat fee, percentage of revenue, or another model. It is essential to carefully negotiate this provision to avoid potential legal risks.
Pro Tip: Work with a healthcare law expert to establish a fair and transparent fee structure that avoids any potential for abuse under fraud, waste and abuse laws.
4. Termination and Exit Strategy MSO agreements often last for a set period, but healthcare practices should plan for the possibility of termination or acquisition by private equity investors. It is important to outline clear terms for contract termination, including any notice periods and exit strategies. These provisions protect both parties and provide clarity if either party wishes to end the relationship or modify the terms.
Pro Tip: Ensure that the contract includes adequate safeguards for data protection, patient confidentiality, and transition planning in the event of termination. Further, being that a successful MSO model in a practice is particularly attractive to private equity investors, it is crucial that the agreement is structured in a way that would allow for the acquisition of the practice in the future.
5. Liability and Risk Management MSOs often provide services that carry legal risks, including billing, compliance, and human resources. It is essential that the MSO agreement clearly delineates liability, particularly regarding errors in services provided by the MSO. Any misstep in these areas can lead to significant exposure for the healthcare provider.
Pro Tip: Consider including indemnity clauses and releases that protect the healthcare provider from liability for the MSO’s mistakes or negligence.
BIG LAW LOSS: TCPA Defendant Loses Bifurcation Effort After Terrible Discovery Objections– Is #BigLaw Inexperience to Blame?
Looks like #biglaw inexperience has cost another TCPA defendant big time.
But let’s try to stay positive.
First, I’m fairly certain I invented the concept of seeking bifurcated discovery in TCPA class litigation.
I know I invented seeking “trifurcted” discovery in TCPA class litigation.
Been doing it since 2011.
For a long time no other defense counsel even attempted the maneuver. Recently we have seen quite a bit of it. But like so much else in litigation, its one thing to make the right move– its another thing to win the move. Especially when #biglaw is involved. These guys can’t seem to win anything in TCPAWorld.
So what does bi/trifurcated discovery even mean and why does it matter?
The primary vehicle Plaintiff’s lawyers have to extract large dollar TCPA settlements in class discovery. They serve massively overly broad demands–stuff like, produce records of every call you’ve ever made and every consent record supporting the right to make those calls and every account record for every costumer that signed up as a result of those calls– in an effort to turn a company inside out and drive them to the settlement table.
For smaller companies these sorts of demands are irritating and invasive, but perhaps not crippling. But for large enterprises the idea of extracting millions of confidential/private client files to hand over to a plaintiff’s lawyer is downright insane.
Now the rules typically do not allow for this type of discovery but if defense counsel isn’t VERY careful with objections they may end up waiving critical protections and the court may end up issuing an order compelling production of these materials.
But one way to cut off this entire issue is by asking the court to prevent invasive “merits” discovery into class claims until after class issues are decided. (Type 1 bifurcation.) Or to stay all class discovery pending the outcome of a dispositive motion challenge to the named plaintiff’s claim. (Type 2 bifurcation.) Either one of these is a form of “bifurcation” of discovery.
In Bond v. Folsom Insurance Agency, 2025 WL 863469 (N.D. Tex. March 19, 2025) the Defendant–represented by a #biglaw firm that did NOT make my list of top best TCPA lawyers–attempted Type 2 bifurcation (i.e. they sought to stay class discovery until the Plaintiff’s individual claims were resolved.) Unfortunately the defendant had already lost a discovery battle earlier in the case and the court was not going to allow the belated effort to seek bifurcation bail the defendant out. So it denied the motion.
Get it?
The defense failed to seek bifurcation at the right time. Then the failed to assert proper objections/arguments to prevent the production of class wide information. Instead it asserted ” boilerplate objections” that were rejected by the court.
What a disaster. Shouldn’t have happened.
Health Fitness, OCR’s Risk Analysis Initiative, and the ERISA Fiduciary Duty to Select Plan Service Providers
On Friday, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced the fifth enforcement action under its Risk Analysis Initiative. In this case, OCR reached a settlement with Health Fitness Corporation (Health Fitness), a wellness vendor providing services to employer-sponsored group health plans.
This announcement is interesting for several reasons. It furthers the OCR’s Risk Analysis Initiative. The enforcement action is a reminder to business associates about HIPAA compliance. The development also points to a significant development under ERISA for plan fiduciaries and service providers to their plans.
The OCR Risk Analysis Initiative
Anyone who takes a look at prior OCR enforcement actions will notice several trends. One of those trends relates to enforcement actions following a data breach. In those cases, the OCR frequently alleges the target of the action failed to satisfy the risk analysis standard under the Security Rule. This standard is fundamental – it involves assessing the threats and vulnerabilities to electronic protected health information (ePHI), a process that helps to shape the covered entity or business associate’s approach to the other standards, and goes beyond a simply gap analysis.
“Conducting an accurate and thorough risk analysis is not only required but is also the first step to prevent or mitigate breaches of electronic protected health information,” said OCR Acting Director Anthony Archeval. “Effective cybersecurity includes knowing who has access to electronic health information and ensuring that it is secure.”
For those wondering how committed the OCR is to its enforcement initiatives, you need not look further than its Right to Access Initiative. On March 6, 2025, the agency announced its 53rd enforcement action. According to that announcement, it involved a $200,000 civil monetary penalty imposed against a public academic health center and research university for violating an individual’s right to timely access her medical records through a personal representative.
The DOL Cybersecurity Rule
Businesses that sponsor a group health plan or other ERISA employee benefit plans might want to review the OCR’s announcement and resolution agreement concerning Health Fitness a little more carefully. In 2024, the DOL’s Employee Benefits Security Administration (EBSA) issued Compliance Assistance Release No. 2024-01. That release makes clear that the fiduciary obligation to assess the cybersecurity of plan service providers applies to all ERISA-covered employee benefit plans, including wellness programs for group health plans.
OCR commenced it investigation of Health Fitness after receiving four reports from Health Fitness, over a three-month period (October 15, 2018, to January 25, 2019), of breaches of PHI. According to the OCR, “Health Fitness reported that beginning approximately in August 2015, ePHI became discoverable on the internet and was exposed to automated search devices (web crawlers) resulting from a software misconfiguration on the server housing the ePHI.” Despite these breaches, according to the OCR, Health Fitness had failed to conduct an accurate and thorough risk analysis, until January 19, 2024.
For Health Fitness, it agreed to implement a corrective action plan that OCR will monitor for two years and paid $227,816 to OCR. For ERISA plan fiduciaries, an important question is what they need to do to assess the cybersecurity of plan service providers like Health Fitness during the procurement process and beyond.
We provide some thoughts in our earlier article and want to emphasize that plan fiduciaries need to be involved in the process. Cybersecurity is often a risk left to the IT department. However, doing so may leave even the most ardent IT professional ill equipped or insufficiently informed about the threats and vulnerabilities of the particular service provider. When it come to ERISA plans, this means properly assessing the threats and vulnerabilities as they relate to the aspects of plan administration being handled by the service provider.
Third-party plan service providers and plan fiduciaries should begin taking reasonable and prudent steps to implement safeguards that will adequately protect plan data. EBSA’s guidance should help the responsible parties get there, along with the plan fiduciaries and plan sponsors’ trusted counsel and other advisors.