U.S. Health Data Affected by New National Security Restrictions on International Data Transfers

Health Insurance Portability and Accountability Act (HIPAA)-covered entities and business associates should be familiar with restrictions on the use or disclosure of protected health information (PHI) under HIPAA rules. Several new requirements may impose more stringent restrictions on certain health data.

For example, de-identifying PHI under HIPAA has been a widely accepted way of gleaning insight from PHI without compromising the privacy or security of the underlying identifiers. Once PHI has been properly de-identified – either through a so-called "safe harbor" method or the expert determination method – HIPAA's restrictions no longer apply to the data. Setting aside state laws that may be more stringent than HIPAA, covered entities could previously use or disclose de-identified PHI for any purpose without restrictions.

For some in the healthcare industry, that may have changed. On April 11, 2025, the U.S. Department of Justice (DOJ) announced steps it was taking to proceed with a Data Security Program designed to prevent foreign adversaries, including China, Russia and Iran, from accessing Americans' sensitive personal data and exploiting U.S. government-related data. The DOJ's April 11 press release indicated that the program is aimed at preventing these adversaries from using this data "to commit espionage and economic espionage, conduct surveillance and counterintelligence activities, develop artificial intelligence (AI) military capabilities and otherwise undermine our national security." These data transfer prohibitions can extend to aggregated and de-identified health data, which means organizations may need to review data transfers that have historically been viewed as safe, low-risk activities.

Executive Orders

This Data Security Program is a largely bipartisan effort implemented by the DOJ's National Security Division (NSD). On Feb. 28, 2024, President Joe Biden published Executive Order (EO) 14117, "Preventing Access to Americans' Bulk Sensitive Personal Data and Government-Related Data by Countries of Concern" (the EO). The EO expanded the scope of the national emergency declared by President Donald Trump on May 15, 2019, in EO 13873, "Securing the Information and Communications Technology and Services Supply Chain," and President Biden's prior June 9, 2021, EO 14034, "Protecting Americans' Sensitive Data from Foreign Adversaries."

The EO directed the U.S. Attorney General, in coordination with the U.S. Department of Homeland Security Secretary and consultation with heads of relevant agencies, to issue regulations governing prohibited and restricted transactions, including those involving the transfer of bulk sensitive personal data. "Prohibited transactions" refer to data transfers that are prohibited, whereas "restricted transactions" refer to limitations imposed on a party engaging in "a vendor agreement, employment agreement or investment agreement with a country of concern or covered person."

The EO also directed the Homeland Security Secretary, acting through the director of the Cybersecurity and Infrastructure Security Agency (CISA), to coordinate with the attorney general and relevant agency heads to publish regulations setting forth security requirements to address unacceptable risk posed by restricted transactions.

The DOJ subsequently issued its regulations in 28 C.F.R. §§202.1001-202.1201 (DOJ Rules) on Jan. 8, 2025, and CISA issued regulations its Security Requirements for Restricted Transactions on Jan. 3, 2025. These requirements are addressed further below.

Protecting Americans' Data from Foreign Adversaries Act

Separate from the EO, the Protecting Americans' Data from Foreign Adversaries Act (PADFAA) was passed by Congress and signed by President Biden. It went into effect on June 23, 2024, and is enforced by the Federal Trade Commission (FTC). The law is fairly short and simply prohibits a data broker from transferring "personally identifiable sensitive data" of a U.S. individual to 1) any foreign adversary country or 2) any entity that is controlled by a foreign adversary. A "data broker" is defined as an entity that provides such information "for valuable consideration."

PADFAA defines "personally identifiable sensitive data" broadly. It includes government identifiers, health information, biometric and genetic information, precise geolocation information, the content and metadata associated with private communications, private content, calendar and contact information, video viewing activity, demographic information and online activities. Unlike the DOJ Rules, this definition is not based on the quantity of the information.

Given these nuances, PADFAA is broader than the EO in some respects and narrower in others. In the Jan. 8, 2025, preamble to the DOJ rules, the National Security Division observed that "[n]o current federal legislation or rule categorically prohibits or imposes security requirements to prevent U.S. persons from providing countries of concern or covered persons access to sensitive personal data or government-related data through data brokerage, vendor, employment or investment agreements." The DOJ therefore asserted that PADFAA does not create a sufficiently comprehensive regulatory scheme to address national security risks adequately.

Committee on Foreign Investment in the United States

The Committee on Foreign Investment in the United States (CFIUS) has the authority to evaluate potential national security risks of certain investments by foreign persons in certain U.S. businesses that maintain sensitive personal data of U.S. citizens. CFIUS reviews certain types of investments on a transaction-by-transaction basis.

CFIUS' authority is codified at 50 U.S.C. § 4565. "Sensitive personal data" is defined in 31 C.F.R. § 800.241 to include, among other things, identifiable data maintained or collected by a U.S. business that is contained in applications for health insurance or data relating to the physical, mental or psychological health condition of an individual.

"Identifiable data" does not include aggregated or anonymized data if there is no ability to use it to distinguish or trace an individual's identity. It also does not include encrypted data unless the U.S. business that maintains or collects the data has the means to decrypt it.

The DOJ Final Rules and Guidance

The DOJ Rules are the most recent federal restrictions that encompass certain health-related data, and became effective on April 8, 2025. The restrictions apply to government-related data or "bulk U.S. sensitive personal data." Importantly, they apply to bulk U.S. sensitive personal data "regardless of whether the data is anonymized, pseudonymized, de-identified or encrypted" (emphasis added).

With respect to sensitive personal data, "bulk" means sensitive personal data that exceeds certain thresholds in the preceding 12 months, including combined data where any particular data type meets the particular threshold:

• human omics data on more than 1,000 persons, or human genomic data involving more than 100 persons
• biometric data on more than 1,000 persons
• precise geolocation data maintained on more than 1,000 U.S. devices
• personal health data on more than 10,000 U.S. persons
• personal financial data on more than 10,000 U.S. persons
• covered personal identifiers on more than 100,000 U.S. persons

This definition excludes:

• stand-alone demographic or contact data (e.g., full name, birthplace, ZIP code, address, phone number, email address and similar public account identifiers)
• a stand-alone, network-based identifier necessary for the provision of telecommunications, networking or similar service (e.g., IP address without associated user activity)

The restrictions apply to adverse countries that are "countries of concern." These currently include:

• China (including Hong Kong and Macau)
• Cuba
• Iran
• North Korea
• Russia
• Venezuela

Important for healthcare entities is an exception for certain clinical investigations and post-market surveillance. Specifically, certain FDA-regulated investigations or clinical investigations that support certain FDA applications are not subject to the restrictions. The preamble to the DOJ Rules states that the DOJ "does not intend to categorically preclude clinical investigations from being conducted in a country of concern and does not believe that the rule, even without the clinical investigation-focused exception, does so." Additionally, if a transaction is necessary to obtain or maintain regulatory approval to market or research drugs, devices or certain other products, that transaction is permitted, but only if the bulk sensitive data is de-identified or pseudonymized.

The NSD released a compliance guide and list of FAQs to assist the public in efforts to comply with the DOJ Rules. The compliance guide emphasizes that those who maintain Americans' sensitive personal data must "know their data," including what data is collected, how the information is used, whether the company engages in covered data transactions and how the data is marketed. The compliance guide notes that "[s]ensitive personal data could be exploited by a country of concern or a covered person to harm U.S. national security if that data is linked or linkable to any identifiable U.S. individual or to a discrete and identifiable group of U.S. persons." This is even the case with anonymized data, because it may be able to be aggregated and "used by countries of concern and covered persons to identify individuals and to conduct malicious activities that implicate the risk to national security."

U.S. persons engaging in data brokerage transactions with foreign persons other than covered persons must include contractual language prohibiting the foreign person from reselling or transferring government-related data or bulk U.S. sensitive personal data to covered persons or countries of concern, and the compliance guide provides sample contract language.

Under the International Emergency Economic Powers Act (IEEPA) and Data Security Program (DSP), NSD can bring civil and criminal enforcement actions for violations of DSP requirements. Civil penalties under IEEPA can go as high as the greater of $368,136 or twice the value of each transaction in violation. Willful violations of IEEPA can carry criminal penalties of up to 20 years in prison and a $1 million fine.

Though the DOJ has indicated that threats to U.S. bulk sensitive personal data is "increasingly urgent, and ensuring prompt compliance with the DSP requirements is critical," during the first 90 days after the DOJ rules become effective (until July 8, 2025), the NSD will reserve penalties and enforcement actions "for egregious, willful violations."

The promulgation of these new federal restrictions in recent years means that HIPAA-covered entities and other healthcare companies cannot allow their enforcement activities to be limited to HIPAA compliance. These companies need to assess the new requirements to determine whether they are applicable – particularly whether they need to impose further restrictions on the outbound transfer of anonymized, pseudonymized and de-identified health data.

It may also be necessary to update existing contracts, including HIPAA business associate agreements, to prevent data recipients from transferring data to prohibited recipients. To that end, the DOJ has released sample contract language in its compliance guide that organizations can consider adopting.

CISA Requirements

The CISA requirements were issued to safeguard restricted transfers and, in relevant part, specify a series of NIST-based security measures for covered systems that have bulk U.S. sensitive personal data on them and may be accessible to "covered persons" (e.g., individuals in China). The purpose of these security requirements is to mitigate the risk of sharing bulk U.S. sensitive personal data and government-related data with countries of concern or such covered persons.

CISA indicated that the requirements are necessary to make sure the organization has the ability to adhere to the covered data-level security requirements to address risks identified by the DOJ. These requirements are in addition to conditions that may be imposed by the DOJ, such as the DOJ Rules. These requirements are applicable only to organizations that engage in restricted transfers.

A covered system subject to the CISA requirements must prevent "covered persons" from accessing the covered data. A covered system includes certain information systems that can interact with covered data as part of a restricted transaction, even if the data is encrypted or de-identified. Unless it allows viewing of sensitive personal data that is also government-related data, a covered system does not include information systems such as end user workstations that can merely view sensitive personal data but do not ordinarily interact with such data in bulk form. Terms such as "countries of concern" and "covered person" are defined in the DOJ Rules.

For more information or questions, please contact the authors or any member of Holland & Knight's Data Strategy, Security & Privacy Practice Team or Healthcare & Life Sciences Industry Sector Group.

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.