FinCEN Extends Certain Deadlines After Federal Appeals Court Revived CTA Reporting Obligations 

12 4 Advisory Cta 1200x628

Updated December 24, 2024

Within hours of the Fifth Circuit’s ruling that lifted a nationwide preliminary injunction against the CTA, FinCEN announced that it had extended certain compliance deadlines, including:

  • Reporting companies created or registered prior to January 1, 2024, that had a filing deadline of January 1, 2025, now have until January 13, 2025, to file their initial reports with FinCEN.
  • Reporting companies created or registered on or after September 4, 2024, that had a filing deadline between December 3, 2024, and December 23, 2024, now have until January 13, 2025, to file their initial reports with FinCEN.
  • Reporting companies created or registered on or after December 3, 2024, and on or before December 23, 2024, now have an additional 21 days from their original filing deadline (i.e., 90 days from creation or registration, plus 21 days) to file their initial reports with FinCEN.

As a reminder, reporting companies created or registered on or after January 1, 2025, have 30 days to file their initial reports with FinCEN. This compliance deadline is unchanged.

Additionally, the CTA requires any reporting company that has filed an initial report with FinCEN to submit an updated report within 30 days of certain events, including any change to information required to be reported to FinCEN. This compliance obligation is unchanged.

On December 24, 2024, the Plaintiffs in Texas Top Cop Shop, Inc. v. Garland filed an emergency petition with the Fifth Circuit for en banc review of the panel’s decision to stay the lower court’s injunction. According to the Plaintiffs, the panel’s ruling that the CTA is a valid exercise of Congress’s commerce power is in “plain conflict” with U.S. Supreme Court precedent. The Plaintiffs request that a decision be made by January 6, 2025, which is one week before the extended compliance deadline described above. Varnum will continue monitoring developments.

December 23, 2024

At approximately 1:30 pm Eastern Time on December 23, 2024, the United States Court of Appeals for the Fifth Circuit (Fifth Circuit) revived the immediate enforceability of the Corporate Transparency Act (CTA). In Texas Top Cop Shop, Inc. v. Garland, a three-judge panel of the Fifth Circuit stayed a lower court’s nationwide preliminary injunction against the CTA, which was issued on December 3, 2024. This means that, among other obligations, the January 1, 2025, compliance deadline for reporting companies in existence as of January 1, 2024, is back in effect.

This situation is rapidly evolving. In the coming days, the challengers in this case could seek further review from the Fifth Circuit or seek relief from the United States Supreme Court. Additionally, several other federal courts are actively considering challenges against the CTA. At the time of this publication, the United States Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) has not publicly released any guidance based on today’s ruling.

Varnum’s CTA Taskforce is closely tracking this case, as well as the dozen other pending cases challenging the constitutionality of the CTA and will provide updates as they become available. 

California Cracks Down: CPPA Targets Unregistered Data Brokers

California Cracks Down: CPPA Targets Unregistered Data Brokers

The California Privacy Protection Agency (CPPA) announced a plan to enhance enforcement of the California Consumer Protection Act’s (CCPA) requirement for registration by data brokers, as unveiled during its November 2024 meeting. This initiative aims to identify businesses failing to register as data brokers, a designation under the CCPA for entities that knowingly collect and sell the personal information of consumers with whom they have no direct relationship.

The sweep of the data broker registration is intended to look at companies that did not register with the state by January 31, 2024, after meeting the criteria to be designated as data brokers in 2023. According to CPPA’s Executive Director Ashkan Soltani, “It’s crucial for data brokers to register with [the CPPA], so the public can be informed and empowered to exercise their rights” because “[t]he immense volume of personal information sold by data brokers can pose a significant threat to Californians’ privacy.”

Despite these requirements, many businesses remain unregistered—whether due to uncertainty about their classification as data brokers, a lack of awareness about the law or intentional avoidance of registration obligations. The CPPA’s registry sweep highlights the agency’s commitment to enforcement, underscoring the need for businesses to address their compliance obligations without delay. To comply, data brokers must register through the California Attorney General’s Data Broker Registry, pay an annual fee, and disclose details about their data collection practices. Noncompliance can lead to reputational risks and significant penalties, including a penalty of $200 per day.  This announcement is merely a preliminary identification that enforcement of the CCPA, including registration as a data broker, will continue to expand, particularly once the Delete Act takes effect January 1, 2026. The CPPA is expected to provide updates on the registry sweep and other regulatory developments at the next board meeting, which is scheduled for later this week on December 19, 2024. Details regarding virtual attendance are available on the CPPA’s website.

For businesses unsure of their status or struggling to navigate the complexities of the registry requirements, Varnum offers specialized guidance to ensure compliance and minimize risk. Contact Varnum’s Data Privacy team to proactively address these obligations and protect your business from enforcement actions while demonstrating a commitment to regulatory compliance.

Navigating Florida’s Corporate Practice of Medicine Doctrine

Navigating Florida's Corporate Practice of Medicine Doctrine

While the Corporate Practice of Medicine (CPOM) doctrine generally prohibits certain unlicensed individuals and/or entities from engaging in or otherwise being impermissibly involved in the practice of medicine, there is no one-size-fits-all rule or federal law to provide clear guidance for investing in health care-related entities and state-specific regulations vary widely.

As outlined in our previous advisory, Michigan’s CPOM doctrine combines statutory requirements and limitations and common law to generally prohibit unlicensed individuals or entities from owning or controlling medical practice entities. It also prohibits fee-splitting arrangements between licensed medical professionals and non-licensed individuals or entities. For example, Michigan’s Public Health Code defines an unethical business practice, in part, as the dividing of fees for the referral of patients. Additionally, Michigan’s Penal Code imposes criminal penalties on any physician or surgeon who (i) divides fees with, (ii) promises to pay part of their fee to, or (iii) pays a commission to any other physician or surgeon or person who consults with or sends patients to such physician or surgeon for treatment/operation. Other states approach the issues and implement the CPOM doctrine differently, though, and to different degrees.

Florida’s Approach to CPOM Compliance

Unlike Michigan, Florida does not explicitly prohibit the ownership or control of medical practice entities by unlicensed persons. However, the state has enacted laws that may impact certain CPOM-related issues, particularly regarding fee-splitting and health care referral practices.

Prohibition of Fee-Splitting in Florida

Florida statutory law prohibits any person, including any health care provider or health care facility, from engaging in any split-fee arrangement, in any form whatsoever to:

  1. Induce the referral of a patient or patronage to or from a health care provider or facility;
  2. In return for referring a patient or patronage to or from a health care provider or facility;
  3. In return for the acceptance or acknowledgment of treatment from a health care provider or facility; or
  4. Aiding, abetting, advising, or otherwise participating in the conduct prohibited above.

Florida also has two other split-fee-related statutes, which make it unlawful for any person to engage in any split-fee arrangement, in any form whatsoever, with any physician, surgeon, organization, agency, or person, directly or indirectly for patients referred to:

  1. A licensed facility or
  2. A pharmacy registered in the state.

Restrictions on Referrals and Unauthorized Practice of Medicine

In addition to fee-splitting prohibitions, Florida imposes strict restrictions on health care providers including:

  1. Prohibiting health care providers from referring patients for designated health services to an entity which the health care provider is an investor or has an investor interest,
  2. Prohibiting the unauthorized practice of medicine, meaning the practice of a health care profession or the performance or delivery of medical or health care services without a valid, active license to practice, and
  3. Permitting the operation of a Professional Service Corporation (PSC) and Professional Limited Liability Company (PLLC).

Professional Service Corporations and PLLCs in Florida

In Florida, a PSC and a PLLC are defined as a corporation or limited liability company organized for the specific purpose of rendering professional service. Simply put, a “professional service” is defined as any personal service to the public which requires a license or other legal authorization to perform such service.

To become a shareholder of a PSC or a member of a PLLC, individuals and entities must be licensed or legally authorized in the same professional service. PSCs and PLLCs can only provide services through their licensed shareholders, members, managers, officers, employees or agents. However, “employee” in this context, excludes roles that do not typically require licensure like clerks, secretaries, bookkeepers and technicians.

Health Care Clinic Licensing Requirements

In addition to the regulations governing PSCs and PLLCs, Florida’s Health Care Clinic Act requires health care clinics with unlicensed non-physician owners, to obtain a clinic license to operate. Under Florida law, “clinic” is defined as “an entity where health care services are provided to individuals and which tenders charges for reimbursement for such services…” In other words, a clinic license is required if the clinic bills a third party for its services and is owned by non-physicians.

Clinic licensure must be obtained from Florida’s Agency for Health Care Administration (AHCA).

Exceptions where a clinic license is not required include:

  1. Clinical facilities affiliated with accredited medical schools where training is provided for medical students, residents and fellows.
  2. Sole proprietorships, group practices, partnerships or corporations that provide health care services by licensed health care practitioners and is fully owned by one or more licensed health care practitioners.

Those clinics that fall under an enumerated exception may apply for a certificate of exemption.

The state-specific regulatory landscape facing medical professionals and entrepreneurs is complex. Understanding these requirements is essential to avoid legal risks. For more information or assistance with compliance under the Corporate Practice of Medicine, contact Varnum’s Health Care Team.

What Happens if You Don’t Have an Estate Plan in Place?

What happens if you don't have an estate plan in place?

If you pass away without an estate plan in place, the laws of the state where you reside at the time of your death determine the distribution of your assets among your spouse, children, parents, and in some cases, other closest living relatives. State laws attempt to predict how you would want your assets divided among these individuals, but this may not always align with your true wishes. Contrary to a common misconception, many married couples believe that their spouse will automatically inherit everything if there is no plan in place, which is not always the case. In the event of your passing, several scenarios may unfold:

  • If you are married with no children but have surviving parents, your parents may also be entitled to a portion of your estate.
  • If you pass away leaving a spouse and children, whether you and your spouse share all children will impact how much your spouse receives.
  • If you have children with someone other than your spouse your spouse may receive less of your estate.
  • If you are unmarried, you have not had any children, and you have no living parents, your assets will be divided among your closest living relatives.

While these legal relationships may not always align with your preferred asset distribution, existing estate planning measures can counteract these default rules. For instance, if you have designated beneficiaries for retirement accounts or life insurance policies, those assets will be distributed to the named beneficiaries outside of the probate process.

If you lack a comprehensive plan, your state’s laws of intestate succession determine the individual responsible for administering your estate. In Michigan, this person is known as a personal representative, while other states may refer to them as an executor. The personal representative initiates probate by filing necessary documents with the probate court, locates all your assets, settles outstanding debts, pays owed taxes, and eventually distributes your assets according to state law specifications.

Montana Consumer Data Privacy Act is Now in Effect: Is Your Business Prepared?

Montana Consumer Data Privacy Act is Now in Effect

As of October 1, 2024, the Montana Consumer Data Privacy Act (MTCDPA) is officially in force. Montana’s new privacy law joins the growing landscape of U.S. state data privacy laws, emphasizing the need for businesses operating in or targeting Montana residents to ensure compliance. The MTCDPA’s provisions align closely with other U.S. state data privacy frameworks, making it essential for businesses to assess and potentially adjust their existing privacy programs to meet Montana’s specific requirements. Below is a summary of the key aspects of the MTCDPA and practical guidance on how businesses can satisfy these obligations.

1. Scope and Applicability

The MTCDPA applies to entities conducting business in Montana or producing products or services targeted at Montana residents if they:

  • Control or process personal data of at least 50,000 Montana consumers (excluding personal data collected solely for payment transactions), or
  • Control or process personal data of at least 25,000 Montana consumers and derive more than 25% of gross revenue from the sale of personal data.

Notably, the MTCDPA has no general revenue threshold, which means businesses of varying sizes may fall under the law’s scope. Additionally, the MTCDPA does not apply to government entities, nonprofits, HIPAA-covered entities, or data regulated by other specified federal laws.

2. Consumer Rights

Montana residents are granted a range of rights over their personal data, closely mirroring those found in other state privacy laws. These rights include:

  • Access: The right to confirm if their data is being processed and to access it.
  • Correction: The ability to correct inaccuracies in their personal data.
  • Deletion: The right to delete their personal data held by a business.
  • Data Portability: The right to obtain a copy of their data in a portable format.
  • Opt-Out: The ability to opt-out of data processing for targeted advertising, the sale of data, or profiling that leads to significant legal effects.

Businesses must respond to verified consumer requests within 45 days, with the possibility of a 45-day extension, and consumers maintain the right to appeal refusals.

3. Businesses’ Obligations

Businesses subject to the MTCDPA must comply with the following requirements:

  • Transparency and Data Minimization: Businesses must provide clear and accessible privacy notices, outlining what data is collected, how it is used, and with whom it is shared. Personal data collection must be limited to what is necessary for the specified purpose.
  • Data Security: Businesses are required to implement reasonable security measures to protect the confidentiality, integrity, and accessibility of consumer data.
  • Sensitive Data: Processing sensitive data—such as biometric information, precise geolocation, and racial or religious data—requires prior affirmative consent from the consumer.
  • Opt-Out Preference Signal: By January 1, 2025, businesses must implement an opt-out preference signal to allow consumers to opt out of the sale or use of their data for targeted advertising.
  • Data Protection Impact Assessments (DPIAs): For activities that present heightened risks, such as processing sensitive data or engaging in targeted advertising, businesses must conduct and document DPIAs, which weigh the benefits of data processing against potential risks to consumers, with mitigation strategies clearly outlined.
  • Enforcement: The Montana Attorney General holds exclusive enforcement authority under the MTCDPA. If a violation is detected, businesses have a 60-day cure period to rectify the issue after receiving a notice from the Attorney General. This cure period will sunset on April 1, 2026, after which enforcement actions may be taken without a preliminary notice.

Preparing for Compliance

In light of the MTCDPA becoming legally effective, businesses should consider taking the following actions to ensure compliance:

  1. Assess the Applicability of the MTCDPA. Businesses should first determine whether the MTCDPA applies to their operations. As noted above, the law applies to entities that conduct business in Montana or produce products or services targeted at Montana residents, and either (1) process the personal data of at least 50,000 Montana consumers, or (2) process the personal data of at least 25,000 Montana residents and derive over 25% of gross revenue from the sale of personal data.
  2. Conduct Data Mapping. Though not legally required, conducting a data mapping exercise to identify data flows will help businesses understand what types of personal data they collected, how they process this data, and who has access to it, which will streamline businesses’ compliance with consumer rights requests and other MTCDPA obligations.
  3. Review and Update Privacy Disclosures. Businesses should ensure that their privacy policies are up-to-date and include all necessary disclosures required by the MTCDPA. This includes clarifying what personal data is collected, its purposes, with whom it is shared, and how consumers can exercise their rights.
  4. Implement Consumer Rights Request Procedures. Businesses must establish protocols for receiving, authenticating, and responding to consumer rights requests. This includes providing a clear mechanism for consumers to access, correct or delete their personal data, and to opt out of their personal data being used for targeted advertising and data sales. Businesses engaging in the sale of personal data or targeted advertising must recognize requests sent through an opt-out preference signal by January 1, 2025.
  5. Evaluate Data Protection Practices. Businesses should evaluate whether their current administrative, technical, and physical data security measures meet the MTCDPA’s standards, and ensure that data processing activities are limited to what is necessary for specified purposes.
  6. Monitor for Enforcement and Updates. Businesses should remain attentive to regulatory updates and enforcement actions taken by the Montana Attorney General to understand compliance expectations. The MTCDPA’s right-to-cure provision sunsets on April 1, 2026, after which penalties may increase for non-compliance.

While the MTCDPA does not introduce radically new obligations compared to other state laws, businesses must remain diligent in their compliance efforts. The similarity of the MTCDPA with existing privacy laws offers an opportunity to streamline compliance strategies, but the nuances of each state’s law, including Montana’s, require careful attention. Making adjustments to your privacy compliance program now will help avoid enforcement actions and align your internal practices with the growing expectations for consumer privacy across the U.S. Contact a member of Varnum’s Data Privacy and Cybersecurity Practice Team to discuss how these changes impact your business and how to help ensure compliance.

Federal Court Enjoins Enforcement of the CTA Nationwide; Reporting Companies “Need Not Comply” with January 1 Deadline

Federal Court Blocks Corporate Transparency Act Nationwide

UPDATE: On December 23, 2024, the Fifth Circuit issued a stay of the District Court’s nationwide injunction that had declared the CTA unconstitutional. Accordingly, as of December 23 at 4 p.m., the January 1, 2025 compliance deadline for entities in existence prior to January 1, 2024, among other CTA obligations, is back in effect. Read more in our latest advisory.

Varnum will continue monitoring developments.

On December 3, 2024, a Texas-based federal court issued a sweeping order prohibiting the federal government from enforcing the Corporate Transparency Act (CTA) anywhere in the country. Texas Top Cop Shop, Inc., et al. v. Garland, et al., Case No. 4:24-cv-478 (E.D. Tex.). The Court held that the CTA—which would have required an estimated 32.5 million companies in the United States as of January 1, 2024, to submit sensitive information regarding their “beneficial owners” (BOI) to the United States Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) by January 1, 2025—was likely unconstitutional and that its implementation would irreparably harm reporting companies if they were forced to comply. The Court enjoined the CTA’s enforcement nationwide, specifically stating that neither the Act nor its related regulations may be enforced, and that “reporting companies need not comply with the CTA’s January 1, 2025, BOI reporting deadline[.]”

The Court determined that Congress exceeded its legislative powers when it enacted the CTA, which the Court characterized as “quasi-Orwellian.” In the Court’s view, upholding the CTA and its requirement that most entities created or registered under state law must continually disclose information to the federal government “would be to rubber-stamp a new form of federal power” that would “threaten the very fabric of our system of federalism.” The Court saw the CTA as a dangerous precedent, observing that “[i]f the Court were to sanction such an extension of legislative power today, then there is no telling how Congress would control companies tomorrow. The fact that a company is a company does not knight Congress with some supreme power to regulate them in all aspects—especially through the CTA[.]” The Court further found that forcing reporting companies to comply with the CTA substantially threatens their constitutional rights. Given the CTA’s constitutional flaws and threatened harm, the Court enjoined the federal government from enforcing it pending further order of the Court.

Key Takeaways

Unlike other court decisions that have examined the CTA’s constitutionality, Texas Top Cop Shop explicitly enjoined the CTA nationwide, finding that “[a] nationwide injunction is appropriate in this case.” This means that “[existing] reporting companies need not comply with the CTA’s January 1, 2025, BOI reporting deadline,” and that FinCEN cannot enforce any of the CTA’s penalties for willful noncompliance against entities or individuals.    

In addition to existing companies whose reporting deadline was just weeks away, the CTA required companies created or registered in the United States during 2024 to submit a BOI report to FinCEN within 90 days of creation or registration, which timeframe would have shortened to 30 days as of January 1, 2025. According to FinCEN’s estimates, 5 million companies are created or registered in the United States each year and would be captured. As of last month, reportedly more than 8 million BOI reports had been submitted to FinCEN, most of which were presumed filed by newly formed reporting companies. The Court’s order enjoins enforcement of the entirety of the CTA.

The Court’s decision will likely not be the final word on the CTA’s enforceability. To begin, the Court entered only a preliminary injunction, which it could theoretically reconsider at some point in the future. The more likely next step, however, is that the government will immediately appeal this decision to the United States Court of Appeals for the Fifth Circuit. A further appeal could be taken to the United States Supreme Court. But unless a court specifically dissolves the Texas Top Cop Shop injunction, companies will not be required to comply with the CTA’s reporting requirements. 

Varnum’s CTA Task Force is closely tracking this case, as well as the dozen other pending cases challenging the constitutionality of the CTA, and will provide updates as they become available.

This advisory was originally published on December 4, 2024.

New HIPAA Attestation Form Requirements Begin December 23, 2024

New HIPAA Attestation Form Requirements

A new HIPAA Attestation Form is a reminder that HIPAA compliance remains an important part of compliance efforts for health plans. The new form is related to an update to the HIPAA regulations that, among other changes, add protections around data that might relate to reproductive rights.

Starting December 23, 2024, the new guidance prohibits the use or disclosure of protected health information (PHI) that may relate to legally provided reproductive health care when provided for either of the following purposes:

  • To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where the health care is lawful under the circumstances.
  • The identification of any person for the purpose of conducting such investigation or imposing such liability.

To enforce this new restriction, the HIPAA Attestation Form was created and should be used whenever a request for the use or disclosure of PHI relating to reproductive health care is received. In addition to the new form, the new requirements should be incorporated into your existing training, policies and procedures, and Business Associate Agreements (BAAs). These are not the only changes. For example, by February 2026, virtually all Notices of Privacy Practices (NPPs) must be updated.

What Does This Mean for Health Plans?

All plans should take this as an important reminder to review their HIPAA compliance. The level of detail and number of documents and policies associated with HIPAA, and the level of modifications that may be needed, can vary significantly depending on how your plan is administered and operated. To discuss the changes and what your health plan needs to do to comply, contact a member of our benefits team, and we can help you evaluate how these changes will apply to your plan.

Michigan’s Earned Sick Time Act: Common Questions from Employers

Starting February 21, 2025, Michigan’s Earned Sick Time Act (ESTA) will replace the Michigan Paid Medical Leave Act (PMLA), significantly expanding employee eligibility for sick time benefits. To assist employers and human resources professionals, Varnum’s Labor and Employment team has prepared this FAQ primer based on the current version of ESTA. Please note that amendments to the ESTA have been proposed in the Michigan legislature; should any aspect of the law change, Varnum’s Labor & Employment team will provide updates. 

Who is covered by ESTA?

All Michigan employers, except the U.S. government, must adjust or implement policies to comply with ESTA requirements. ESTA applies, regardless of industry, to employers that employ one or more employees in Michigan.

Which employees are eligible to receive earned sick time?

All employees are eligible, regardless of classification. Salaried exempt employees under the Fair Labor Standards Act are presumed to work 40 hours per week or, if their position is based on a weekly schedule of fewer than 40 hours, their regular number of scheduled hours.

If employees are covered by a collective bargaining agreement (CBA), the Act will apply to such employees starting on the CBA’s expiration date, regardless of any provisions extending the CBA’s duration. If a particular CBA is silent as to sick time or PTO benefits, Labor and Economic Opportunity Commission (LEO) has stated that the Act may apply beginning on February 21, 2025.

What is the accrual rate for earned sick time?

Beginning February 21, 2025, or upon the employee’s start date, whichever is later, employees will accrue 1 hour of sick time for every 30 hours worked. Employers may require new employees to wait 90 days after hire to use accrued sick time, but accrual begins immediately upon hire.

How much earned sick time are employees entitled to?

  • Small businesses (fewer than 10 employees as calculated under the statute): Must provide up to 40 hours of paid earned sick time, with an additional 32 hours unpaid.
  • All other employees: Must provide up to 72 hours of paid earned sick time per year.

Does earned sick time carry over?

Yes. All accrued and unused sick time must carry over to the following year. ESTA does not impose a cap on accrual or carryover.

Can employers frontload the earned sick time?

Yes. Employers may frontload the full years’ worth of sick time at the beginning of the benefit year. However, the frontloading method implemented must comply with the ESTA’s accrual, usage, carryover and other provisions.

Does earned sick time have to be paid out?

No. The statute does not require employers to payout unused time. Employers should check and confirm their written policies align with their desired practices concerning payout, as a separate law requires employers to follow the policies they have set forth in writing. 

How should employers transition from their current policies to ESTA compliance?

The transition to ESTA compliance will vary depending on an employer’s current policies, workforce structure, technology, and their priorities related to cost, culture, level of administrative effort, and the like. Employers should first familiarize themselves with ESTA requirements. Then evaluate their existing leave policies and their hierarchy of priorities in comparison with ESTA’s requirements to determine whether a new standalone ESTA policy or modification of existing policies meets their business needs. Employers should then draft new or amended policies that comply with the ESTA, for implementation in accordance with the Act. Employers should also review and confirm that their payroll and recordkeeping systems are equipped for ESTA compliance by the effective date and should train managers and personnel who will have new responsibilities associated with the Act.  

Should we implement new policies now?

ESTA is scheduled to take effect on February 21, 2025. Although major changes are not currently expected ongoing legislative action between now and the effective date could lead to some changes in the act’s requirements. For most employers, the appropriate course may be to prepare for compliance by the deadline while staying informed about potential changes, and to implement on the Act’s actual effective date rather than sooner.

Navigating ESTA’s requirements can be complex. Varnum’s labor and employment attorneys have prepared a comparison chart between the PMLA and ESTA to help guide you through the transition. Contact us with any questions or for assistance in achieving ESTA compliance.