U.S. Health Data Affected By New National Security Restrictions On International Data Transfers (2025)

More

Highlights

• Health Insurance Portability and Accountability Act(HIPAA)-covered entities and healthcare organizations must nowcomply with additional national security regulations issued by theU.S. Department of Justice (DOJ) and Cybersecurity andInfrastructure Security Agency (CISA). These rules restrict thetransfer of bulk U.S. sensitive personal data – includingde-identified or encrypted health data – to certain foreigncountries and entities.
• Affected organizations should reassess data-sharing practices,update HIPAA business associate agreements and vendor contracts,and implement security controls mandated by CISA to preventunauthorized access by foreign adversaries or "coveredpersons."
• The DOJ can impose steep civil and criminal penalties –including fines of up to $368,136 per violation and imprisonmentfor willful breaches. Though enforcement will focus on egregiousviolations during the initial 90-day period, prompt complianceremains critical.

Health Insurance Portability and Accountability Act(HIPAA)-covered entities and business associates should be familiarwith restrictions on the use or disclosure of protected healthinformation (PHI) under HIPAA rules. Several new requirements mayimpose more stringent restrictions on certain health data.

For example, de-identifying PHI under HIPAA has been a widelyaccepted way of gleaning insight from PHI without compromising theprivacy or security of the underlying identifiers. Once PHI hasbeen properly de-identified – either through a so-called"safe harbor" method or the expert determination method– HIPAA's restrictions no longer apply to the data.Setting aside state laws that may be more stringent than HIPAA,covered entities could previously use or disclose de-identified PHIfor any purpose without restrictions.

For some in the healthcare industry, that may have changed. OnApril 11, 2025, the U.S. Department of Justice (DOJ) announced steps it was taking to proceed witha Data Security Program designed to prevent foreign adversaries,including China, Russia and Iran, from accessing Americans'sensitive personal data and exploiting U.S. government-relateddata. The DOJ's April 11 press release indicated that theprogram is aimed at preventing these adversaries from using thisdata "to commit espionage and economic espionage, conductsurveillance and counterintelligence activities, develop artificialintelligence (AI) military capabilities and otherwise undermine ournational security." These data transfer prohibitions canextend to aggregated and de-identified health data, which meansorganizations may need to review data transfers that havehistorically been viewed as safe, low-risk activities.

Executive Orders

This Data Security Program is a largely bipartisan effortimplemented by the DOJ's National Security Division (NSD). OnFeb. 28, 2024, President Joe Biden published Executive Order (EO) 14117, "PreventingAccess to Americans' Bulk Sensitive Personal Data andGovernment-Related Data by Countries of Concern" (the EO). TheEO expanded the scope of the national emergency declared byPresident Donald Trump on May 15, 2019, in EO 13873, "Securing the Information andCommunications Technology and Services Supply Chain," andPresident Biden's prior June 9, 2021, EO 14034, "Protecting Americans'Sensitive Data from Foreign Adversaries."

The EO directed the U.S. Attorney General, in coordination withthe U.S. Department of Homeland Security Secretary and consultationwith heads of relevant agencies, to issue regulations governingprohibited and restricted transactions, including those involvingthe transfer of bulk sensitive personal data. "Prohibitedtransactions" refer to data transfers that are prohibited,whereas "restricted transactions" refer to limitationsimposed on a party engaging in "a vendor agreement, employmentagreement or investment agreement with a country of concern orcovered person."

The EO also directed the Homeland Security Secretary, actingthrough the director of the Cybersecurity and InfrastructureSecurity Agency (CISA), to coordinate with the attorney general andrelevant agency heads to publish regulations setting forth securityrequirements to address unacceptable risk posed by restrictedtransactions.

The DOJ subsequently issued its regulations in 28 C.F.R.§§202.1001-202.1201 (DOJ Rules) on Jan. 8, 2025, and CISAissued regulations its Security Requirements for RestrictedTransactions on Jan. 3, 2025. These requirements are addressedfurther below.

Protecting Americans' Data from Foreign AdversariesAct

Separate from the EO, the Protecting Americans' Data fromForeign Adversaries Act (PADFAA) was passed by Congress and signedby President Biden. It went into effect on June 23, 2024, and isenforced by the Federal Trade Commission (FTC). The law is fairlyshort and simply prohibits a data broker from transferring"personally identifiable sensitive data" of a U.S.individual to 1) any foreign adversary country or 2) any entitythat is controlled by a foreign adversary. A "databroker" is defined as an entity that provides such information"for valuable consideration."

PADFAA defines "personally identifiable sensitivedata" broadly. It includes government identifiers, healthinformation, biometric and genetic information, precise geolocationinformation, the content and metadata associated with privatecommunications, private content, calendar and contact information,video viewing activity, demographic information and onlineactivities. Unlike the DOJ Rules, this definition is not based onthe quantity of the information.

Given these nuances, PADFAA is broader than the EO in somerespects and narrower in others. In the Jan. 8, 2025, preamble tothe DOJ rules, the National Security Division observed that"[n]o current federal legislation or rule categoricallyprohibits or imposes security requirements to prevent U.S. personsfrom providing countries of concern or covered persons access tosensitive personal data or government-related data through databrokerage, vendor, employment or investment agreements." TheDOJ therefore asserted that PADFAA does not create a sufficientlycomprehensive regulatory scheme to address national security risksadequately.

Committee on Foreign Investment in the United States

The Committee on Foreign Investment in the United States (CFIUS)has the authority to evaluate potential national security risks ofcertain investments by foreign persons in certain U.S. businessesthat maintain sensitive personal data of U.S. citizens. CFIUSreviews certain types of investments on atransaction-by-transaction basis.

CFIUS' authority is codified at 50 U.S.C. § 4565."Sensitive personal data" is defined in 31 C.F.R. §800.241 to include, among other things, identifiable datamaintained or collected by a U.S. business that is contained inapplications for health insurance or data relating to the physical,mental or psychological health condition of an individual.

"Identifiable data" does not include aggregated oranonymized data if there is no ability to use it to distinguish ortrace an individual's identity. It also does not includeencrypted data unless the U.S. business that maintains or collectsthe data has the means to decrypt it.

The DOJ Final Rules and Guidance

The DOJ Rules are the most recent federalrestrictions that encompass certain health-related data, and becameeffective on April 8, 2025. The restrictions apply togovernment-related data or "bulk U.S. sensitive personaldata." Importantly, they apply to bulk U.S. sensitive personaldata "regardless of whether the data isanonymized, pseudonymized, de-identified orencrypted" (emphasis added).

With respect to sensitive personal data, "bulk" meanssensitive personal data that exceeds certain thresholds in thepreceding 12 months, including combined data where any particulardata type meets the particular threshold:

• human omics data on more than 1,000 persons, or human genomicdata involving more than 100 persons
• biometric data on more than 1,000 persons
• precise geolocation data maintained on more than 1,000 U.S.devices
• personal health data on more than 10,000 U.S. persons
• personal financial data on more than 10,000 U.S. persons
• covered personal identifiers on more than 100,000 U.S.persons

This definition excludes:

• stand-alone demographic or contact data (e.g., full name,birthplace, ZIP code, address, phone number, email address andsimilar public account identifiers)
• a stand-alone, network-based identifier necessary for theprovision of telecommunications, networking or similar service(e.g., IP address without associated user activity)

The restrictions apply to adverse countries that are"countries of concern." These currently include:

• China (including Hong Kong and Macau)
• Cuba
• Iran
• North Korea
• Russia
• Venezuela

Important for healthcare entities is an exception for certainclinical investigations and post-market surveillance. Specifically,certain FDA-regulated investigations or clinical investigationsthat support certain FDA applications are not subject to therestrictions. The preamble to the DOJ Rules states that the DOJ"does not intend to categorically preclude clinicalinvestigations from being conducted in a country of concern anddoes not believe that the rule, even without the clinicalinvestigation-focused exception, does so." Additionally, if atransaction is necessary to obtain or maintain regulatory approvalto market or research drugs, devices or certain other products,that transaction is permitted, but only if the bulk sensitive datais de-identified or pseudonymized.

The NSD released a compliance guide and list of FAQs to assist the public in efforts to complywith the DOJ Rules. The compliance guide emphasizes that those whomaintain Americans' sensitive personal data must "knowtheir data," including what data is collected, how theinformation is used, whether the company engages in covered datatransactions and how the data is marketed. The compliance guidenotes that "[s]ensitive personal data could be exploited by acountry of concern or a covered person to harm U.S. nationalsecurity if that data is linked or linkable to any identifiableU.S. individual or to a discrete and identifiable group of U.S.persons." This is even the case with anonymized data, becauseit may be able to be aggregated and "used by countries ofconcern and covered persons to identify individuals and to conductmalicious activities that implicate the risk to nationalsecurity."

U.S. persons engaging in data brokerage transactions withforeign persons other than covered persons must include contractuallanguage prohibiting the foreign person from reselling ortransferring government-related data or bulk U.S. sensitivepersonal data to covered persons or countries of concern, and thecompliance guide provides sample contract language.

Under the International Emergency Economic Powers Act (IEEPA)and Data Security Program (DSP), NSD can bring civil and criminalenforcement actions for violations of DSP requirements. Civilpenalties under IEEPA can go as high as the greater of $368,136 ortwice the value of each transaction in violation. Willfulviolations of IEEPA can carry criminal penalties of up to 20 yearsin prison and a $1 million fine.

Though the DOJ has indicated that threats to U.S. bulk sensitivepersonal data is "increasingly urgent, and ensuring promptcompliance with the DSP requirements is critical," during thefirst 90 days after the DOJ rules become effective (until July 8,2025), the NSD will reserve penalties and enforcement actions"for egregious, willful violations."

The promulgation of these new federal restrictions in recentyears means that HIPAA-covered entities and other healthcarecompanies cannot allow their enforcement activities to be limitedto HIPAA compliance. These companies need to assess the newrequirements to determine whether they are applicable –particularly whether they need to impose further restrictions onthe outbound transfer of anonymized, pseudonymized andde-identified health data.

It may also be necessary to update existing contracts, includingHIPAA business associate agreements, to prevent data recipientsfrom transferring data to prohibited recipients. To that end, theDOJ has released sample contract language in its compliance guidethat organizations can consider adopting.

CISA Requirements

The CISA requirements were issued to safeguardrestricted transfers and, in relevant part, specify a series ofNIST-based security measures for covered systems that have bulkU.S. sensitive personal data on them and may be accessible to"covered persons" (e.g., individuals in China). Thepurpose of these security requirements is to mitigate the risk ofsharing bulk U.S. sensitive personal data and government-relateddata with countries of concern or such covered persons.

CISA indicated that the requirements are necessary to make surethe organization has the ability to adhere to the covereddata-level security requirements to address risks identified by theDOJ. These requirements are in addition to conditions that may beimposed by the DOJ, such as the DOJ Rules. These requirements areapplicable only to organizations that engage in restrictedtransfers.

A covered system subject to the CISA requirements must prevent"covered persons" from accessing the covered data. Acovered system includes certain information systems that caninteract with covered data as part of a restricted transaction,even if the data is encrypted or de-identified. Unless it allowsviewing of sensitive personal data that is also government-relateddata, a covered system does not include information systems such asend user workstations that can merely view sensitive personal databut do not ordinarily interact with such data in bulk form. Termssuch as "countries of concern" and "coveredperson" are defined in the DOJ Rules.

The content of this article is intended to provide a generalguide to the subject matter. Specialist advice should be soughtabout your specific circumstances.