MASSIVE NEW RISK FOR MARKETERS: Dobronski Nukes SelectQuote and the Whole TCPAWorld Has to Deal With the Fallout
So there’s this guy named Mark Dobronski.
Frequent commenter on TCPAWorld.
Aggressive repeat litigator who is not, at all, afraid to go it alone in TCPA cases and bring suits on his own behalf. He also raises novel and interesting issues.
Here’s one.
47 CFR 64.1601 provides that anyone engaging in telemarketing must transmit either a CPN or ANI, and the name of the telemarketer.
Dobronski alleged SelectQuote didn’t comply with this rule. So he sued.
But SelectQuote moved for summary judgment and won originally with the court determining the CFR provision was promulgated under section 227(e)–the Truth in Caller ID Act–that does not afford a private right of action.
Great, fine. Except one little problem– 64.1601 was promulgated before 227(e) was added to the TCPA.
Oops.
So this creates a mystery: Which section of the TCPA was the CFR section promulgated under?
SelectQuote’s attorneys argued it was pursuant to Section 227(d)–which proscribes technical requirements for prerecorded calls– but Dobronski countered the provisions of 64.1601 apply to all marketing calls, not just prerecorded calls.
As a result the Court defaulted to 227(c) as the statutory section that gave the FCC authority to promulgate the rule. This is so although the court conceded section 227(c) was not a perfect fit either.
So Dobronski just got a court to hold that the provisions of 64.1601 ARE enforceable pursuant to a private right of action.
Eesh.
That means telemarketers–looking at you lead generators–need to make sure either:
The name of the telemarketer is displayed on your caller ID; or
The name of the seller on behalf of which the telemarketing call is placed and the seller’s customer service telephone number.
Hope ya’ll are following along. Because this is a HUGE deal.
Btw– the CORRECT answer here is that the FCC EXCEEDED ITS AUTHORITY in creating 64.1601 as Congress had not yet given it the ability to regulate caller ID until 227(e) was passed. Ta da.
But SelectQuote’s lawyers (apparently) did not raise that argument. So here we are.
And, what a surprise– the lawyers who just got beat by a guy WITHOUT AN ATTORNEY are from, you guessed it!, #BIGLAW!!!
Hire big law. Expect big losses folks.
Luckily you can get out of the biglaw trap for less money but only for another 6 days!
Chat soon.
Case is: Dobronski v. SelectQuote 2025 WL 900439 (E.D. Mich March 25, 2025)
DEA Buprenorphine Rule Delayed to December 31, 2025
The U.S. Department of Health and Human Services (HHS) and the Drug Enforcement Administration (DEA) have postponed the effective date of the final rule regarding telemedicine prescribing of buprenorphine (the final buprenorphine rule) to December 31, 2025. In its final rule postponing the effective date, the DEA notes that it received 32 comments. Of those, 13 commenters requested the effective date be finalized as soon as possible, while three urged an additional delay. Eleven commenters raised concerns about the final buprenorphine rule itself. The DEA states that, because of these comments, it will further delay the effective date to further review any questions of fact, law, and policy the rules may raise.
A Brief History
On January 17, 2025, in anticipation of the change of administration, the DEA and HHS finalized and published the final buprenorphine rule, which establishes a permanent pathway for the telemedicine prescribing of buprenorphine for opioid use disorder (OUD). The final buprenorphine rule was set to take effect February 18, 2025. (See our prior blog “DEA Tightens Buprenorphine Telemedicine Prescribing Rules” which discusses the requirements of the final buprenorphine rule.) On January 20, 2025, the Trump administration issued the Regulatory Freeze Pending Review Presidential Memorandum authorizing HHS and the DEA to delay the effective date of the final buprenorphine rule until March 21, 2025. The delay was intended to allow time to review any questions of fact, law, and policy the rule may raise, as well as to open a comment period to gather input from interested parties. On February 14, 2025, in accordance with the Presidential Memorandum, HHS and the DEA announced this delay and review of the final buprenorphine rule. (See our prior blog “DEA Delays Final Buprenorphine Rule” about the first delayed effective date of the final buprenorphine rule.)
Make Your Voice Heard
HHS and the DEA are not accepting formal comments with this final rule. However, stakeholders with concerns about the final buprenorphine rule and its effective date are encouraged to share their feedback by contacting their local Congressperson or the White House.
What Comes Next
With the delay of the final buprenorphine rule, stakeholders can continue relying on the current set of telemedicine prescribing flexibilities through the end of 2025 without uncertainty about whether the obligations of the final buprenorphine final rule will apply and potentially supersede the flexibilities now that the dates are aligned. As a potential permanent solution for prescribing OUD treatment via telemedicine, two U.S. Senators reintroduced the Telehealth Response for E-Prescribing Addiction Therapy Services (TREATS) Act in March 2025, as bipartisan legislation. The TREATS Act amends the Controlled Substances Act to make the buprenorphine-related telemedicine prescribing flexibilities permanent. It was previously introduced in June 2020, February 2021, and November 2023, but in each instance, it did not progress out of Committee.
Although the TREATS Act is more favorable to stakeholders than the final buprenorphine rule because it does not include the additional obligations of the final buprenorphine rule, its history suggests it is unlikely to be signed into law. However, because the current DEA stance on the issue is still unclear, there remains a possibility that the TREATS Act could be finalized in place of the final buprenorphine rule. We will continue to monitor developments regarding the final buprenorphine rule and the TREATS Act.
Telehealth Cliff Averted, for Now (But September is Six Months Away)
The potential plunge off the telehealth cliff that we warned you about in our March 3, 2025, blog post has been averted, for now.
With the passage of the Continuing Resolution (CR) by the House and Senate, and the subsequent signing by the president, current telehealth flexibilities and Medicare coverage for the benefit will not expire on March 31. With funding established through the end of the fiscal year—September 30, 2025—the CR provides at least a brief extension of telehealth flexibilities for those, particularly in rural areas or with mobility problems, who have come to rely on telehealth for access to critical health care services since March 2020.
As we noted on March 3, COVID-19 shifted perceptions of telehealth in a way that is not likely to ever return to pre-2020 notions, despite the wrangling over extensions. Between April and June of 2020, nearly half of all Medicare beneficiaries had at least one virtual medical visit. The COVID-19 public health emergency officially ended in May 2023, but the Medicare telehealth flexibilities have been extended several times.
The Continuing Resolution: Telehealth
Section 2207 of the CR, “Extension of Certain Telehealth Flexibilities,” is substantively identical to Section 3207 of the American Relief Act of 2025 (which granted the 90-day extension for telehealth flexibilities through March 2025). The new Section 2207, with the September 30 date,
Removes geographic requirements and expands originating sites for telehealth services (including patients’ homes);
Expands the list of practitioners who are eligible to furnish telehealth services (includes all practitioners who are eligible to bill Medicare for covered services, such as physical and occupational therapists, speech pathologists, audiologists, marriage and family therapists, and mental health services);
Extends telehealth services to federally qualified health centers (FQHCs) and rural health clinics (RHCs), who may serve as distant site providers;
Delays the Medicare in-person requirements for mental health services furnished through telehealth and telecommunications technology, including FQHCs and RHCs;
Allows for the payment/furnishing of audio-only telehealth services;
Extending use of telehealth to conduct face-to-face encounter(s) prior to recertification of eligibility for hospice care; and
Granting program instruction authority, meaning that the secretary of the Department of Health and Human Services may implement the amendments made by this section through program instruction or otherwise.
Utilization and Costs
Immediately following the passage and signing of the CR, the Center for Connected Health Policy and the National Telehealth Policy Resource Center issued an article pointing out that recent Medicare utilization and spending findings actually support Medicare telehealth expansions—and do not in fact support discontinuing the extensions on the grounds of increased patient utilization or costs.
As these organizations noted, the University of Michigan’s Institute for Healthcare Policy and Innovation has concluded—with respect to outpatient utilization—that while mental health is a high driver of telehealth use, and primary care is a moderate one, telehealth did not cause a rise in total post-pandemic evaluation and management visits among Medicare fee-for-service beneficiaries when compared to prepandemic levels (orthopedic surgery, for example, has low telehealth use).
A second study by the Institute for Healthcare Policy and Innovation similarly lends support for permanent telehealth coverage when examining the question of costs. This study found that telehealth-initiated visits were actually associated with lower 30-day spending compared to in-person-initiated visits. Though return visit rates were higher for telehealth, lab testing and imaging rates were lower, suggesting that telehealth may reduce overall Medicare spending.
The Next Six Months?
The American Telemedicine Association and its advocacy arm, ATA Action, have called the March 14 vote on the CR “a big victory for telehealth, and a huge relief for patients and clinicians in every state and region of the United States, especially those in underserved communities.” Yet Kyle Zebley, ATA Action’s executive director, called the short extensions “an impediment to long-term certainty.”
Certain provisions that were left out of the year-end funding package of December 2024 remain excluded, such as
First dollar coverage of High Deductible Health Plans/Health Savings Accounts (HDHP-HSA) tax provision;
In-home cardiology rehabilitation flexibilities;
Virtual diabetes prevention program suppliers in Medicare Diabetes Prevention Program (MDPP); and
SPEAK Act which facilitates guidance and access to best practices on providing telehealth services accessibly.
Some organizations, such as the National Consortium of Telehealth Resource Centers, are already preparing for the next telehealth policy cliff on October 1, 2025. For now, as the Telehealth Policy website of the Department of Health and Human Services states, telehealth services can still be provided by all eligible Medicare providers through September 30, 2025. Until that date:
There are no geographic restrictions for originating sites for Medicare telehealth services, and Medicare patients can receive these services in their home.
An in-person visit within six months of an initial Medicare behavioral/mental telehealth service, and annually thereafter, is not required.
FQHCs and RHCs can serve as Medicare distant site providers for nonbehavioral/mental telehealth services.
Telehealth services in Medicare can be delivered using audio-only communication.
New York AG Settles with School App
The New York Attorney General recently entered into an assurance of discontinuance with Saturn Technologies, operator of an app used by high school and college students. The app was designed to be a social media platform that assists students with tracking their calendars and events. It also includes connection and social networking features and displayed students’ information to others. This included students’ location and club participation, among other things. According to the NYAG, the company had engaged in a series of acts that violated the state’s unfair and deceptive trade practice laws.
In particular, according to the attorney general, although the app said that it verified users before allowing them into these school communities, in fact anyone could join them. Based on the investigation done by the AG, the majority of users appeared not to have been verified or screened to block fraudulent accounts. In other words, accounts that were not those of students at the school. This was a concern, stressed the AG, as the unverified users had access to personal information of students. The AG argued that these actions constituted unfair and deceptive trade practices.
Finally, the AG alleged that the company did not make it clear that “student ambassadors” (who promoted the program) received rewards for marketing the program. As part of the settlement, the app maker has agreed to create and train employees and ambassadors on how to comply with the FTC’s Endorsements Guides by, among other things, disclosing their connection to the app maker when discussing their use of the app.
Putting It Into Practice: This case is a reminder to review apps directed to older minors not only from a COPPA perspective (which applies to those under 13). Here, the NYAG has alleged violations stemming from representations that the company made about the steps it would take to verify users. It also signals expectations in New York for protecting minors if offering a social media platform intended only for that market.
Listen to this post
FinCEN Issues Interim CTA Rule, U.S. Entities and Individuals Exempted From Reporting
Highlights
The Financial Crimes Enforcement Network (FinCEN) issued an interim final rule that changes requirements for reporting beneficial ownership information (BOI) under the Corporate Transparency Act
The rule narrows existing reporting requirements and requires only entities previously defined as “foreign reporting companies” to report BOI
FinCEN defines new exemptions from reporting for domestic entities and U.S. persons
The Financial Crimes Enforcement Network (FinCEN) recently issued a press release concerning the issuance of a new interim final rule that removes requirements for U.S. companies and persons to report beneficial ownership information (BOI) to FinCEN under the Corporate Transparency Act (CTA).
Consistent with the U.S. Department of the Treasury’s March 2, 2025, announcement, FinCEN is adopting the interim final rule to narrow BOI reporting requirements under the CTA to apply only to entities previously defined as “foreign reporting companies.”
In the new interim final rule, FinCEN revises the definition of “reporting company” to mean only those entities that are formed under the law of a foreign country and that have registered to do business in any U.S. state or tribal jurisdiction by filing a document with a secretary of state or similar office (such entities, previously defined as “foreign reporting companies”).
Additionally, FinCEN adds a new exemption available to entities formed in the U.S., previously defined as “domestic reporting companies.” Such entities are exempt from BOI reporting and do not have to report BOI to FinCEN, or update or correct BOI previously reported to FinCEN.
Thus, through the interim final rule, entities created in the United States – along with their beneficial owners – are exempted from requirements to report BOI to FinCEN.
Two Changes for Foreign Reporting Companies
With limited exceptions, the interim final rule does not change existing requirements for foreign reporting companies. However, the new interim rule does make two significant modifications to such requirements:
The interim rule extends the deadline to file initial BOI reports, and to update or correct previously filed BOI reports, to 30 calendar days from the date of its publication to give foreign reporting companies additional time to comply.
The interim final rule exempts foreign reporting companies from having to report the BOI of any U.S. persons who are beneficial owners of the foreign reporting company and exempts U.S. persons from having to provide such information to any foreign reporting company of which they are a beneficial owner.
Foreign entities that meet the new definition of a “reporting company” and do not qualify for an available exemption must report their BOI to FinCEN in compliance with these new deadlines.
Under the new interim rule, a reporting company is any entity that is:
a corporation, limited liability company, or other entity
formed under the law of a foreign country
registered to do business in any state or tribal jurisdiction by the filing of a document with a secretary of state or any similar office under the law of that state or Indian tribe
Reporting companies that registered to do business in the United States before the date of publication of the interim final rule must file BOI reports no later than 30 calendar days from the date of the new interim rule’s publication in the Federal Register. Reporting companies that register to do business in the United States on or after the date of publication of the interim final rule have 30 calendar days to file an initial BOI report after receiving notice their registration is effective.
FinCEN is accepting comments on this interim final rule until 60 days after it is published in the Federal Register and notes that it will assess the exemptions included in the subsequent final rule, as appropriate, in light of those comments. It intends to issue a final rule this year.
DEA Telemedicine Rules Further Delayed Until (Nearly) 2026
Those waiting anxiously for the rules expanding the prescribing of buprenorphine via telemedicine and the controlled substance prescribing for patients at the Department of Veterans Affairs to officially go into effect will now have to wait until New Year’s Eve—December 31, 2025.
Practitioners will, however, be allowed to continue prescribing via telemedicine without first having an in-person visit with the patient, owing to COVID-19 Telemedicine Flexibilities for Prescription of Controlled Medications, in effect through the same end-of-year date.
A seven-page document released by the Department of Justice’s Drug Enforcement Administration (DOJ, DEA) and Department of Health and Human Services (HHS)—scheduled to be published in the Federal Register on March 24—further delays the effective dates of the “Expansion of Buprenorphine Treatment via Telemedicine Encounter” Final Rule and the “Continuity of Care for Veterans Affairs Patients” Final Rule, both dated January 17, 2025 .
As we alerted you in February, these same two rules, collectively referred to as the “Buprenorphine and VA Telemedicine Prescribing Rules,” were originally scheduled to become final on February 18, 2025 but were delayed until March 21, 2025.
The first delay stemmed from the January 20, 2025, Presidential Memorandum titled “Regulatory Freeze Pending Review” (the “Freeze Memo”) that empowered federal departments and agencies to “consider postponing” the dates of rules published but not yet in effect.
After reviewing the 32 comments that the first delay generated, the DOJ now “wishes to further postpone the effective dates for the purpose of further reviewing any questions of fact, law, and policy that the rules may raise,” despite the fact that 13 of the 32 commenters wished to finalize the effective date of the two rules as soon as possible.
The Rules
The Buprenorphine and VA Telemedicine Prescribing Rules amended previous regulations to expand the circumstances under which:
practitioners registered by DEA are authorized to prescribe schedule III-V controlled substances approved by the FDA for treatment of opioid use disorder via a telemedicine encounter; and
VA practitioners acting within the scope of their VA employment are authorized to prescribe schedule II-IV controlled substances via telemedicine to a VA patient with whom they have not conducted an in-person medical evaluation, if another VA practitioner has, at any time, previously conducted an in-person medical evaluation of the VA patient, subject to conditions.
The EBG team continues to monitor any changes to the Buprenorphine and VA Telemedicine Prescribing Rules.
Additional Author: David Shillcutt
Understanding MSO Agreements: Key Considerations for Healthcare Providers
As healthcare providers look to streamline operations and improve efficiency, Management Service Organizations (“MSOs”) have become increasingly vital in helping medical practices, dental offices, and other healthcare entities manage non-clinical functions. MSOs typically provide administrative support, including billing, non-clinical human resources, IT management, and compliance services. These partnerships enable healthcare providers to focus on delivering quality patient care while MSOs handle the back-office tasks.
However, entering into an MSO agreement is a significant decision that requires careful legal consideration.
What is an MSO Agreement?
An MSO agreement is a contract between a healthcare provider (such as a physician practice) and an MSO. The MSO provides non-clinical services such as management, billing, non-clinical human resources, compliance, and office administration, allowing a healthcare practice to focus solely on patient care. By entering into this agreement, healthcare providers can streamline operations, reduce overhead, and enhance efficiency without sacrificing quality.
That said, MSO agreements are more than just administrative contract – they often carry substantial legal and regulatory implications. Ensuring that your MSO agreement is structured correctly is critical for your practice’s success and legal compliance.
Key Considerations in MSO Agreements
1. Compliance with Healthcare Regulations Healthcare is one of the most heavily regulated industries, and MSO agreements must comply with numerous federal and state laws, including the Stark Law, Anti-Kickback Statute, and other regulatory guidelines. MSOs must not provide services in a way that would violate these laws, particularly when they involve relationships between healthcare providers and third-party vendors.
Pro Tip: Always consult with legal counsel to ensure that the MSO agreement is structured to avoid conflicts of interest and potential regulatory violations.
2. Ownership and Control One of the central issues in any MSO agreement is determining who controls the business operations. While an MSO can offer significant operational support, healthcare providers must always maintain clinical autonomy. The agreement must clearly define the scope of services, ensuring that the MSO does not infringe upon the practice’s medical decision-making.
Pro Tip: Ensure that the agreement specifies that clinical decisions remain under the control of the healthcare providers and that MSOs only handle non-clinical functions.
3. Fee Structure and Compensation The financial terms of an MSO agreement are critical. The fee arrangement should
reflect fair market value and should be structured in a way that aligns with both parties’ interests. For example, the MSO might be compensated on a flat fee, percentage of revenue, or another model. It is essential to carefully negotiate this provision to avoid potential legal risks.
Pro Tip: Work with a healthcare law expert to establish a fair and transparent fee structure that avoids any potential for abuse under fraud, waste and abuse laws.
4. Termination and Exit Strategy MSO agreements often last for a set period, but healthcare practices should plan for the possibility of termination or acquisition by private equity investors. It is important to outline clear terms for contract termination, including any notice periods and exit strategies. These provisions protect both parties and provide clarity if either party wishes to end the relationship or modify the terms.
Pro Tip: Ensure that the contract includes adequate safeguards for data protection, patient confidentiality, and transition planning in the event of termination. Further, being that a successful MSO model in a practice is particularly attractive to private equity investors, it is crucial that the agreement is structured in a way that would allow for the acquisition of the practice in the future.
5. Liability and Risk Management MSOs often provide services that carry legal risks, including billing, compliance, and human resources. It is essential that the MSO agreement clearly delineates liability, particularly regarding errors in services provided by the MSO. Any misstep in these areas can lead to significant exposure for the healthcare provider.
Pro Tip: Consider including indemnity clauses and releases that protect the healthcare provider from liability for the MSO’s mistakes or negligence.
BIG LAW LOSS: TCPA Defendant Loses Bifurcation Effort After Terrible Discovery Objections– Is #BigLaw Inexperience to Blame?
Looks like #biglaw inexperience has cost another TCPA defendant big time.
But let’s try to stay positive.
First, I’m fairly certain I invented the concept of seeking bifurcated discovery in TCPA class litigation.
I know I invented seeking “trifurcted” discovery in TCPA class litigation.
Been doing it since 2011.
For a long time no other defense counsel even attempted the maneuver. Recently we have seen quite a bit of it. But like so much else in litigation, its one thing to make the right move– its another thing to win the move. Especially when #biglaw is involved. These guys can’t seem to win anything in TCPAWorld.
So what does bi/trifurcated discovery even mean and why does it matter?
The primary vehicle Plaintiff’s lawyers have to extract large dollar TCPA settlements in class discovery. They serve massively overly broad demands–stuff like, produce records of every call you’ve ever made and every consent record supporting the right to make those calls and every account record for every costumer that signed up as a result of those calls– in an effort to turn a company inside out and drive them to the settlement table.
For smaller companies these sorts of demands are irritating and invasive, but perhaps not crippling. But for large enterprises the idea of extracting millions of confidential/private client files to hand over to a plaintiff’s lawyer is downright insane.
Now the rules typically do not allow for this type of discovery but if defense counsel isn’t VERY careful with objections they may end up waiving critical protections and the court may end up issuing an order compelling production of these materials.
But one way to cut off this entire issue is by asking the court to prevent invasive “merits” discovery into class claims until after class issues are decided. (Type 1 bifurcation.) Or to stay all class discovery pending the outcome of a dispositive motion challenge to the named plaintiff’s claim. (Type 2 bifurcation.) Either one of these is a form of “bifurcation” of discovery.
In Bond v. Folsom Insurance Agency, 2025 WL 863469 (N.D. Tex. March 19, 2025) the Defendant–represented by a #biglaw firm that did NOT make my list of top best TCPA lawyers–attempted Type 2 bifurcation (i.e. they sought to stay class discovery until the Plaintiff’s individual claims were resolved.) Unfortunately the defendant had already lost a discovery battle earlier in the case and the court was not going to allow the belated effort to seek bifurcation bail the defendant out. So it denied the motion.
Get it?
The defense failed to seek bifurcation at the right time. Then the failed to assert proper objections/arguments to prevent the production of class wide information. Instead it asserted ” boilerplate objections” that were rejected by the court.
What a disaster. Shouldn’t have happened.
Health Fitness, OCR’s Risk Analysis Initiative, and the ERISA Fiduciary Duty to Select Plan Service Providers
On Friday, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced the fifth enforcement action under its Risk Analysis Initiative. In this case, OCR reached a settlement with Health Fitness Corporation (Health Fitness), a wellness vendor providing services to employer-sponsored group health plans.
This announcement is interesting for several reasons. It furthers the OCR’s Risk Analysis Initiative. The enforcement action is a reminder to business associates about HIPAA compliance. The development also points to a significant development under ERISA for plan fiduciaries and service providers to their plans.
The OCR Risk Analysis Initiative
Anyone who takes a look at prior OCR enforcement actions will notice several trends. One of those trends relates to enforcement actions following a data breach. In those cases, the OCR frequently alleges the target of the action failed to satisfy the risk analysis standard under the Security Rule. This standard is fundamental – it involves assessing the threats and vulnerabilities to electronic protected health information (ePHI), a process that helps to shape the covered entity or business associate’s approach to the other standards, and goes beyond a simply gap analysis.
“Conducting an accurate and thorough risk analysis is not only required but is also the first step to prevent or mitigate breaches of electronic protected health information,” said OCR Acting Director Anthony Archeval. “Effective cybersecurity includes knowing who has access to electronic health information and ensuring that it is secure.”
For those wondering how committed the OCR is to its enforcement initiatives, you need not look further than its Right to Access Initiative. On March 6, 2025, the agency announced its 53rd enforcement action. According to that announcement, it involved a $200,000 civil monetary penalty imposed against a public academic health center and research university for violating an individual’s right to timely access her medical records through a personal representative.
The DOL Cybersecurity Rule
Businesses that sponsor a group health plan or other ERISA employee benefit plans might want to review the OCR’s announcement and resolution agreement concerning Health Fitness a little more carefully. In 2024, the DOL’s Employee Benefits Security Administration (EBSA) issued Compliance Assistance Release No. 2024-01. That release makes clear that the fiduciary obligation to assess the cybersecurity of plan service providers applies to all ERISA-covered employee benefit plans, including wellness programs for group health plans.
OCR commenced it investigation of Health Fitness after receiving four reports from Health Fitness, over a three-month period (October 15, 2018, to January 25, 2019), of breaches of PHI. According to the OCR, “Health Fitness reported that beginning approximately in August 2015, ePHI became discoverable on the internet and was exposed to automated search devices (web crawlers) resulting from a software misconfiguration on the server housing the ePHI.” Despite these breaches, according to the OCR, Health Fitness had failed to conduct an accurate and thorough risk analysis, until January 19, 2024.
For Health Fitness, it agreed to implement a corrective action plan that OCR will monitor for two years and paid $227,816 to OCR. For ERISA plan fiduciaries, an important question is what they need to do to assess the cybersecurity of plan service providers like Health Fitness during the procurement process and beyond.
We provide some thoughts in our earlier article and want to emphasize that plan fiduciaries need to be involved in the process. Cybersecurity is often a risk left to the IT department. However, doing so may leave even the most ardent IT professional ill equipped or insufficiently informed about the threats and vulnerabilities of the particular service provider. When it come to ERISA plans, this means properly assessing the threats and vulnerabilities as they relate to the aspects of plan administration being handled by the service provider.
Third-party plan service providers and plan fiduciaries should begin taking reasonable and prudent steps to implement safeguards that will adequately protect plan data. EBSA’s guidance should help the responsible parties get there, along with the plan fiduciaries and plan sponsors’ trusted counsel and other advisors.
OCC Signals Shift on Crypto and Debanking Under Acting Comptroller Hood
On March 18, Acting Comptroller of the Currency Rodney Hood reiterated the OCC’s commitment to ensuring fair access to banking services, including for cryptocurrency firms. Speaking at a retail banking industry conference, Hood stated that the OCC would not tolerate so-called “debanking” without individualized risk assessments. He emphasized that banks must evaluate businesses—including those in the crypto sector—based on objective criteria rather than categorical exclusions.
Hood’s remarks signaled several key potential policy shifts:
Leveling the playing field for crypto activities. Banks engaging with digital asset companies should be evaluated under the same supervisory frameworks as traditional financial services.
Firm Risk Management Expectations. While easing entry for crypto-related banking services, banks must still meet core regulatory requirements, including capital, cybersecurity, and BSA/AML compliance.
No Mandates on Account Closures. Hood reaffirmed that the OCC does not direct banks to open or close specific accounts and that such decisions should reflect each customer’s unique risk profile.
Fintech Expansion & Regulatory Innovation. The OCC plans to launch a fintech regulatory sandbox and recently granted a new fintech bank charter—the first in five years—as part of broader efforts to encourage responsible fintech innovation.
Putting It Into Practice: The OCC recently clarified that banks are authorized to provide crypto custody services, hold stablecoin reserves for issuers, and participate in blockchain networks to process and validate payments, including stablecoin transactions. These developments, along with Hood’s comments, reflect a broader policy shift under the second Trump Administration favoring cryptocurrency adoption and challenging alleged politically motivated banking restrictions (previously discussed here and here). In addition, Hood’s comments on de-banking follow efforts by states such as Florida and Tennessee to tack perceived “de-banking” of consumers with conservative ideologies (previously discussed here and here).
Listen to this post
New Ohio Transparency Pricing Rules for Hospitals Comes with Limits to Targeted Advertising
Starting April 3, Ohio hospitals will have to navigate new requirements under House Bill 173. This law mandates greater transparency in healthcare pricing. It also includes rules for selling or targeted advertising related to personal information hospitals collect from price estimator tools (discussed in more detail below). The law applies to hospitals in Ohio, which is any facility providing inpatient medical services for periods longer than twenty-four hours.
Transparent pricing for services
HB 173 requires hospitals to provide consumers with public pricing information for all hospital items and services. Hospitals need to create a digital list of all standard charges for their services. This list must be easy to access, free of charge, and cannot require any personal information from the user. These provisions are designed to help patients understand how much they will have to pay for medical services. Hospitals also have to offer information about “shoppable services” e.g., – services that can be scheduled in advance.
To meet this transparency requirement, hospitals either must provide a list of shoppable services, or provide an internet-based price estimator tool that helps patients estimate costs for these types of procedures.
Targeted advertising
For hospitals that decide to use a price estimator tool, there are restrictions on how personal information the tool collects can be used. Specifically, the law prohibits hospitals from using personal information collected from the use of the tool for targeted advertising. The law defines targeted advertising as displaying an ad that is selected based on personal data obtained from the use of a hospital’s internet-based price estimator tool by a person in Ohio. This means that hospitals cannot show consumers specific ads based on the information a person provides to estimate healthcare costs. Hospitals are also not allowed to sell personal information collected from price estimator tools. While “sell” is not defined under the law it is most likely to be interpreted closer to HIPAA definitions than state consumer privacy laws. Sell under HIPAA means direct or indirect renumeration in exchange for PHI.
The law provides specific exclusions for what is considered targeted advertising. Hospitals can still advertise based on a user’s direct request for information or their activities on the hospital’s own websites. Ads that are shown based on the context of a user’s search or visit are also excluded. Additionally, using data to measure how effective ads are is not considered targeted advertising. However, covered entities must continue to be mindful of OCR’s guidance with respect to the use of tracking technologies as well.
Putting it into Practice: Hospitals in Ohio may need to adopt new practices to remain compliant with the law. This includes making sure their websites provide easy-to-find pricing information for patients. Additionally, hospitals should confirm personal information from price estimator tools isn’t used for targeted advertising.
5 Ways Estate Attorneys Can Bring Order to Their Clients’ Digital Asset Chaos
Digital assets are exploding. According to NordPass, the average person now has 168 online accounts, and that list is growing all the time — in both volume and value. A new survey from Bryn Mawr Trust found that Americans estimate an average value of $191,516 in digital assets; yet, 76% of them still have little to scant knowledge of digital estate planning. More problematic, many advisors still do not acknowledge digital assets as a general asset category to address with clients. As a result, many estate plans inadequately address — or completely ignore — access to and the disposition of digital assets.
Digital assets, at a high level, include: digitally stored documents, email accounts and electronic communications, loyalty program rewards and airline miles, photos and videos, social media accounts, cryptocurrency, subscriptions, online businesses, other digital interests, and accounts controlled by service providers. They all now demand proper estate planning.
Why does any of this matter? Overlooking digital assets leaves the legal representatives of the estate (i.e. executor, administrator, and personal representative):
Potentially locked out of valuable digital assets and accounts, resulting in a direct financial or sentimental loss to the estate and its beneficiaries.
Spending countless hours and resources trying to gain access to said accounts.
Dealing with exposed personal identifiable information from the decedent’s various online accounts, leaving them vulnerable to identity theft and other cybersecurity risks.
In addition to failing to comprehensively serve evolving client needs, a lack of planning in this area could expose attorneys and other advisors to potential future liability. How to access and transfer digital assets should be a standard part of every client conversation for the modern estate planning advisor.
Digital assets are more ubiquitous and valuable than ever, so why does a large swath of the estate planning community still lag behind in addressing this critical area?
This generally stems from a lack of understanding of:
The prevalence of digital assets in most clients’ lives;
The potential negative impact if these assets are overlooked;
How to address this topic with clients;
How to effectively incorporate digital interests into estate plans and accompanying materials; and
Where to turn to for technical guidance and support.
The following general guidelines are aimed to help estate planning advisors better understand this developing area and begin to guide clients through the digital estate planning process, in order to protect clients, their legal representatives and beneficiaries, and our practices:
1. Educate Clients on the Importance of Digital Asset Planning
Most clients don’t realize the risks of ignoring their digital behaviors and footprint. In fact, you have probably heard some say:”I don’t have any digital assets.”
Further, many advisors and clients operate under the ill-advised assumption that, if they don’t own any cryptocurrency, then they don’t have any digital assets. However, the reality is the majority of people have a plethora of digital assets and accounts. Whether they realize it or not, our clients are creating digital footprints in a multitude of ways, every day, often without a second thought. As technology progresses, our digital and physical lives are reaching new levels of entanglement.
So, if a client has, at a minimum:
Photos or videos on a device or in a cloud
Email accounts (and other online electronic communications, Slack, Google Chat, WhatsApp, etc.)
Social media profiles
Online banking, utility, or shopping accounts
Cloud storage (Google Drive, iCloud, etc.)
Loyalty programs or airline miles
…they are accumulating digital assets, accounts, and interests that require protection and planning.
Many clients may also now have an interest in or accumulate:
Domain names and websites
Digital works, recordings, and content (artists and creators)
Ecommerce and other online businesses (i.e. Etsy, Amazon, etc.)
Cryptocurrency, NFTs, and Forex
Gaming tokens
Metaverse or other virtual property
Avatars, digital twins, and personalized bots (and customized AI large language models)
Name, image, and likeness (NIL) considerations, where applicable
… which require even more protection and planning.
The diverse categories of digital assets above demonstrate why it’s important to ask clients questions about their digital behaviors as part of the standard estate planning conversation. Here are a few examples of questions to help initiate the digital asset planning discussion:
Do you use online bill pay for any of your recurring expenses?
Who handles this in your household?
How many personal email accounts do you use?
How much shopping do you do online?
What are your three most important digital assets?
How do you store photos and videos?
Do you use social media?
What, if any, important information do you still receive through traditional mail?
If something suddenly happened to you, is there information in cyberspace or data in a device that would need to be accessed to help administer your estate or that you would want to be transferred to a certain individual or deleted?
These questions are just the beginning of the conversation and can provide a wealth of information to direct the structure of the digital asset aspect of the plan, which should be based on the needs and desires of the client.
2. Help Clients Inventory Their Digital Assets
Most clients underestimate the size of their digital footprint. Beyond social media and email, they often have a mix of valuable, sentimental, and potentially vulnerable digital accounts with personally identifiable information that need managing. As part of gathering general asset and liability information for a client at the beginning of the planning process, collecting information regarding digital assets, accounts, and devices and understanding digital behavior should be standard practice.
There are online services to help you handle this, but here are some tips if you want to do-it-yourself:
Start with Hardware
An inventory should have an area for clients to list all devices that store data, access online accounts, or store biometric information:
Computers & Laptops
Smartphones & Tablets
External Drives, Flash Drives & Hard Wallets
E-Readers, Digital Cameras & Music Players
Wearables, Smart Glasses & Gaming Devices
Alarms & Smart Home Systems
Tip: Even old devices may store sensitive data that requires attention and protection.
Include Stored Data
The inventory should go beyond hardware and map out where digital files reside:
Cloud Services: Google Drive, iCloud, Dropbox, etc.
Local Drives & External Storage: Hard drives, SD cards, USBs
Backups & Archives: Time Machine, Windows Backup
AWS Drives and Services
Applications
Many clients and advisors overlook the personal and financial data tucked away in the cloud, applications, or on forgotten drives. Where is that manuscript? Where are all the family photos and videos stored?
List Online Accounts & Digital Assets with Monetary or Sentimental Value
The inventory should also include all online accounts and digital assets with monetary or sentimental value, as this is where assets can be overlooked, which could result in financial or other loss. Encourage clients to list:
Email Accounts: The gateway to most digital assets and accounts in a paperless world.
Social Media: Facebook, LinkedIn, Instagram, etc.
Financial Platforms: Banks, PayPal, Venmo, Wallets/Exchanges
E-Commerce & Subscriptions: Amazon, streaming services, food delivery
Utilities & Loyalty Programs: Household bills, airline miles, hotel points
Cryptocurrency (date acquired, purchase price, type, blockchain, method stored, public exchange/self-custody? If self-custody, how held [hot storage/cold storage]? How are keys/recovery seed phrases stored?)
NFTs (date acquired, price, blockchain, internet location, transfer rights, royalties, etc.?)
Pro Tip: Have them scan emails for receipts and password reset links to uncover forgotten accounts.
Flag Web-Based Assets & Intellectual Property
For entrepreneurs, creators, or side hustlers, dig deeper:
Domain Names & Hosting Accounts
Websites, Blogs & Online Stores (Shopify, Etsy, and Amazon)
Creative Works: Copyrighted materials, trademarks, code, art, photography, etc.
Having an inventory of the digital assets and accounts of a client stored in a safe location will save significant time and expense in the future. It is also important to periodically update the inventory as digital interests change and expand. Sharing this type of information is prohibited under several federal laws, such as the Computer Fraud and Abuse Act and the Stored Communications Act.
3. Help Clients Set Wishes For Each Asset
Not all digital assets and accounts should be treated equally. Digital asset planning cannot be done using a one-size-fits-all approach. Digital assets and behaviors can vary widely among clients, much like general planning needs for traditional assets.
For instance, some clients will want to preserve family photos or social media accounts, while others may want certain accounts deleted for privacy. It’s important to note: even if digital assets and accounts can be legally accessed by an estate representative, legal access does not equate to actual use, and oftentimes, additional pre-planning measures are required to provide instructions on how to use digital assets or what to do with them once accessed (i.e. an Etsy shop or small online business with intellectual property). This type of use information is not customarily included in the legal documents in an estate plan and instead should be provided through instructions manuals, a tech management plan, or other user related information as part of the overall planning process.
Others clients still may want to liquidate and transfer crypto assets to their estate representatives, which can require additional technological expertise and assistance, and the timing of this can also have potential tax and valuation implications. Cryptocurrency poses its own set of unique planning challenges, which can vary depending on the type of crypto and how it is held (i.e. public exchange or self-custody [which can also take on various forms]) and planning for this type of interest will be further addressed in a future article.
It is important to discuss the following considerations with clients:
Access/Transfer
Can the digital asset be legally transferred or does the user only have a lifetime license?
Can the digital asset be legally owned or accessed by a trust?
Are there revenue-generating accounts, cryptocurrency wallets, or loyalty points that should be preserved or transferred to the estate?
Should online businesses or websites be transferred to a successor or closed and how are these activities being supported during transitional periods?
What information is going to need to be immediately accessible to legal representatives in the event of sudden incapacity or death?
Preserve
Should sentimental assets like family photos, records, videos, or social media profiles be archived for future generations? Who should be the recipient(s)? Should these digital memories be saved in other formats to ensure ease of access?
Is there any intellectual property, like creative works or digital art, that need to be preserved?
Are there recurring subscription fees for software, programs, or platforms connected to or necessary to use/access the digital interest?
Is the digital asset or interest located online or contained in a computer, device, or hard drive? How are items of tangible property that can have intangible digital components handled in an estate plan?
Close
Which accounts should be permanently closed or scrubbed to protect privacy, such as unused subscriptions, wearables, or social media profiles?
Is there any sensitive data that should be wiped, like email accounts or online shopping accounts, or data on a device to prevent identity theft?
Be Aware of Online Tools & RUFADAA Compliance
As part of this conversation, clients must also understand the Revised Uniform Fiduciary Access to Digital Assets Act (RUFADAA), a law adopted by most states to regulate access by a fiduciary (i.e. executor, administrator or personal representative of an estate, trustee of a trust, agent under power of attorney, and guardian of an incapacitated person’s estate) to the digital assets and accounts of a user. Under RUFADAA, users must explicitly authorize fiduciary access based on a three-tier hierarchy:
An Online Tool (an agreement between the user and a service provider separate, which provides directions for the disclosure or non-disclosure of digital assets)
Estate planning documents that address fiduciary access (if an Online Tool is not available or used); and
Terms of Service Agreements (TOSAs) apply if neither of the first two exist. However, many TOSAs restrict or prohibit asset transfers or are silent on fiduciary access, often requiring a court order for access in many situations.
Even if fiduciary access provisions are incorporated into an estate plan, some service providers may still require a court order authorizing access before it is provided or may limit access to certain information. For example, electronic communications, such as the contents of an email, are subject to a heightened standard of privacy under RUFADAA and access must be specifically authorized in estate planning documents or an Online Tool to be disclosed. Obtaining court orders to access digital accounts can be time consuming and expensive — increasing the importance of clear instructions and directives for digital assets to reduce delays and potential legal hurdles.
In addition, identifying accounts where Online Tools have been utilized is important to include in the digital asset inventory. The use of an Online Tool is similar to a beneficiary designation for traditional assets (i.e. retirement plans, investment accounts, and life insurance policies) without the well-settled law to invalidate designations in a variety of situations. Using Online Tools has many benefits and can streamline access, but should be done with great care and reviewed as part of an overall estate plan.
Additionally, new tech solutions have entered the marketplace to help advisors and clients manage digital estates and legacies. These platforms offer inventory tools, secure storage, and digital memorialization services. Such platforms can help reduce legal hurdles, ensure a secure and seamless transition of digital assets and important information, and better serve future estate representatives and practitioners as they carry out the client’s wishes.
4. Partner With Tech-Savvy Professionals & Advisors
The transfer and access of property, including digital assets (that are not controlled by an Online Tool or TOSA), is carried out through the estate administration process, and what a fiduciary is allowed or prohibited to do is determined by jurisdictional estate and fiduciary laws and the provisions of a will or revocable trust.
Unlike physical assets, which can often be easily identified and transferred, digital assets may be protected by passwords, encryption, and privacy policies. They could also have complicated technological components, making them difficult to access without the help of seasoned experts.
While some clients have more complicated technological needs, one solution to address this situation is to empower the fiduciary to be able to hire technology experts to assist with administration of the digital estate.
Another option is to appoint a technology advisor or committee in the planning documents for the fiduciary to utilize. Technical advisor appointments can define the scope of the advice to be provided, requisite technical expertise aligned with a specific digital asset, and include discretionary powers that can be modified by the fiduciary.
Lastly, estate advisors should be familiar with different types of advisors to serve their clients digital interests and needs. For example, some digital assets may be hard to value, requiring specialized expertise from qualified appraisers. Other clients may have their personal or business IT systems hacked, requiring referrals to competent cybersecurity teams and outfits.
5. Make It Legally Binding and Review Regularly
These are many types of clients with varying digital usage that impact both technical and legal aspects of an estate plan. A well-structured digital estate plan should be actionable, secure, and seamlessly integrated with an overall estate plan.
A basic estate plan typically includes:
A will
In some states, a revocable trust
Financial and healthcare powers of attorney
At a minimum, practitioners should discuss with their clients the laws governing fiduciary access to digital assets in their jurisdiction, and whether the client intends to provide for the access or deletion of their digital assets and accounts.
Best Practices for Drafting Digital Asset Provisions
The will should include a clear digital asset clause specifying the client’s intent regarding:
Fiduciary access to digital assets, electronic communications, and online accounts.
A definition of digital assets.
Revocable trusts and financial powers of attorney should echo these directives.
Wills and/or revocable trusts should designate beneficiaries for each digital asset.
Never list usernames or passwords directly in a will or trust. Instead, store this information in a secure location instead.
For clients with complex digital assets, additional documents may be necessary, such as:
Instruction manuals detailing access and management procedures.
Technology management plans to optimize access and use.
As discussed above, if Online Tools are used as part of the planning process, the designated recipient named in the Online Tool or the directive provided will trump fiduciary access provisions in a will or revocable trust.
Reviewing the overall plan on a regular basis helps ensure the plan remains current and provides an opportunity to realign the plan with life changes, new digital assets, and technology platforms designed to help clients and practitioners manage digital assets.
Estate Planners: the Time to Act is Now
Digital assets must no longer be treated as an “emerging” asset class. It’s 2025 — they’ve effectively emerged. For practitioners putting off digital asset planning, make no mistake: digital asset proliferation isn’t going anywhere. The need for this type of planning will only further spike and grow more complicated. Our clients have a digital life, and we must acknowledge that managing digital footprints, devices, accounts, and assets is non-negotiable for a comprehensive estate plan.
As trusted advisors, we must keep apprised of the legal and technical developments surrounding digital assets with the same diligence we apply to staying atop legislative and tax changes that may impact planning. There is too much at stake to ignore or take lightly this growing challenge. Doing so puts our clients at risk and exposes our practices to potential liability. Our clients expect us to secure their digital legacies with a modern approach to the planning process. They expect us to help them bring order to their digital chaos.
Now, it’s time we deliver.