Navigating the New Data Security Landscape: What Digital Health Leaders Need to Know About the DOJ's Final Rule

Written By April Noel

The digital health sector is built on the secure and efficient handling of sensitive health information. As technology evolves and global connections deepen, so do the complexities of protecting this data. A significant new development in this landscape is the U.S. Department of Justice's (DOJ) final rule on "Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons." Published on January 8, 2025, this rule introduces critical restrictions and compliance obligations that CTeL members operating in digital health must understand.

Effective April 8, 2025, with due diligence and audit requirements taking effect on October 6, 2025, this rule implements Executive Order 14117 and is driven by national security concerns regarding the potential exploitation of bulk U.S. sensitive personal data by foreign adversaries (Department of Justice, 2025; Baker Donelson, 2025). It adds a new layer of complexity to data governance, distinct from but interacting with existing regulations like HIPAA.

Understanding the Scope: Who and What is Covered?

The rule applies to "U.S. persons" (including U.S. entities and individuals) engaging in "covered data transactions" that involve "bulk U.S. sensitive personal data" or "government-related data" and a "country of concern" or "covered person" (Department of Justice, 2025; Littler, 2025).

For the digital health industry, the most relevant categories of data are:

  • Sensitive Personal Data: This includes critical categories like personal health data and human 'omic data (Department of Justice, 2025).

  • Bulk Data: The rule defines specific thresholds for what constitutes "bulk," such as personal health data collected on more than 10,000 U.S. persons, or human 'omic data on more than 1,000 U.S. persons (or 100 for genomic data) (Department of Justice, 2025). Notably, the rule applies even if the data is anonymized, pseudonymized, de-identified, or encrypted, provided it meets the bulk thresholds and is linked or linkable to a U.S. person (Baker Donelson, 2025).

The Countries of Concern are explicitly listed as the People's Republic of China (including Hong Kong and Macau), the Russian Federation, the Islamic Republic of Iran, the Democratic People's Republic of Korea, the Republic of Cuba, and the Bolivarian Republic of Venezuela (Department of Justice, 2025).

Covered Persons include foreign entities headquartered in or organized under the laws of a country of concern, entities 50% or more owned by a country of concern or covered person, foreign individuals who are employees or contractors of such entities, or foreign individuals primarily resident in a country of concern, among others designated by the Attorney General (Littler, 2025).

"Covered data transactions" are broadly defined and include:

  • Data brokerage

  • Vendor agreements

  • Employment agreements

  • Investment agreements

This is particularly relevant for digital health companies that utilize international vendors for cloud hosting, data processing, or analytics, employ remote teams in countries of concern who access data, or receive foreign investment (Department of Justice, 2025; Lathrop GPM, 2025).

Prohibited vs. Restricted Transactions

The rule establishes a tiered approach:

  1. Prohibited Transactions: These are outright banned and include:

    • Data brokerage involving any access to government-related data or bulk U.S. sensitive personal data with a country of concern or covered person.

    • Covered data transactions involving access by a country of concern or covered person to bulk human 'omic data or biospecimens from which it can be derived (Department of Justice, 2025).

    • Transactions designed to evade or avoid the rule's prohibitions (Department of Justice, 2025).

  2. Restricted Transactions: Other covered data transactions involving access to bulk U.S. sensitive personal data (that are not bulk human 'omic data transactions) are not prohibited but are restricted. To engage in restricted transactions, U.S. persons must comply with stringent requirements (Department of Justice, 2025).

Navigating Restricted Transactions: The Compliance Imperative

For digital health organizations engaging in restricted transactions, significant compliance obligations are required, effective October 6, 2025:

  • Data Compliance Program: Implement risk-based procedures to verify data flows, identify transaction parties (including ownership/citizenship), determine data end-use and transfer methods. This includes verifying the identity of vendors involved in restricted transactions (Department of Justice, 2025).

  • Written Policies: Maintain written policies describing the data compliance program and security requirements, annually certified by a responsible officer or executive (Department of Justice, 2025).

  • Audits: Conduct annual audits for each calendar year a U.S. person engages in any restricted transaction (Department of Justice, 2025).

  • Recordkeeping: Keep full and accurate records of all subject transactions for at least 10 years (Department of Justice, 2025).

  • Reporting: Furnish information to the DOJ upon request and file annual reports for restricted transactions involving cloud computing services where the U.S. person has 25% or more equity interest owned by a country of concern or covered person (Department of Justice, 2025).

Compliance also requires adhering to security requirements issued by the Cybersecurity and Infrastructure Security Agency (CISA) for restricted transactions (Wiley Rein, 2025).

Digital Health Specific Considerations

This rule has direct implications for various digital health operations:

  • Cloud Services & Data Hosting: Utilizing cloud providers with data centers or personnel in countries of concern or who are covered persons may fall under "vendor agreements" and be restricted transactions (Baker Donelson, 2025).

  • Remote Teams & Outsourcing: Employing individuals or contracting with entities in countries of concern who require access to bulk sensitive personal data is explicitly covered (Lathrop GPM, 2025).

  • Genomic and 'Omic Data Services: Due to the specific prohibition on bulk human 'omic data transactions, companies offering genomic sequencing, analysis, or related services face a strict ban on such transactions with countries of concern or covered persons (Department of Justice, 2025).

  • International Research Collaborations: While there are exemptions, transactions necessary for drug, biological product, or medical device authorization require compliance with recordkeeping and reporting, even if otherwise exempt (Department of Justice, 2025). Other research collaborations might fall under the restricted transaction category depending on data access and parties involved.

It is crucial to recognize that compliance with this DOJ rule does not negate HIPAA obligations. HIPAA governs the privacy and security of Protected Health Information (PHI) for covered entities and business associates within the U.S. healthcare system. The DOJ rule, under the authority of the International Emergency Economic Powers Act (IEEPA), addresses national security risks posed by specific foreign access to sensitive data, a different focus than HIPAA (Department of Justice, 2025; Gibson Dunn, 2025; Lathrop GPM, 2025). Digital health organizations must navigate both regulatory frameworks.

Enforcement and Penalties

Non-compliance carries significant risks, including civil penalties up to the greater of $368,136 or twice the transaction value, and criminal penalties up to $1,000,000 or 20 years imprisonment for natural persons (Department of Justice, 2025). The DOJ's National Security Division is prioritizing enforcement, although they initially indicated they would not prioritize civil enforcement for good-faith efforts during the first 90 days (April 8 - July 8, 2025) (WilmerHale, 2025). Full compliance is expected moving forward (WilmerHale, 2025).

Steps for CTeL Members

Given the effective dates and the complexity of the rule, CTeL members in digital health should take immediate action:

  1. Know Your Data: Inventory the types and volumes of sensitive personal data, especially health and 'omic data, your organization collects, processes, and stores.

  2. Map Data Flows: Understand where your data resides, how it is accessed, and who has access, including third-party vendors, contractors, and employees.

  3. Identify Covered Transactions: Review vendor agreements, employment contracts, and investment agreements to identify any potential covered data transactions with countries of concern or covered persons.

  4. Assess Risk: Determine if any transactions are prohibited or restricted under the rule based on the data involved and the parties.

  5. Strengthen Compliance Programs: For restricted transactions, develop or enhance data compliance programs to meet the DOJ's stringent requirements for due diligence, auditing, recordkeeping, and reporting. Implement necessary CISA security measures.

  6. Consult Legal Counsel: The nuances of this rule and its interaction with existing regulations necessitate expert legal guidance tailored to your specific operations.

This new DOJ rule marks a critical shift in data security regulation for the digital health industry. Proactive assessment and robust compliance measures are essential to protect sensitive health information and navigate this evolving national security landscape.

Disclaimer: This blog post is intended for informational purposes only and should not be construed as legal advice. CTeL members should consult with qualified legal counsel to assess the specific impact of this rule on their operations and ensure full compliance.

References

Baker Donelson. (2025, April 22). DOJ issues additional guidance and clarification on the bulk data transfer rule: What U.S. businesses need to know. Retrieved from https://www.bakerdonelson.com/doj-issues-additional-guidance-and-clarification-on-the-bulk-data-transfer-rule-what-us-businesses-need-to-know

Department of Justice. (2025, January 8). Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons. Retrieved from [Provided Text/CTeL Regulatory Primer]

Gibson Dunn. (2025, April 16). DOJ's New Frontier: Regulation, Oversight, and Enforcement of Ex-U.S. Data Transfers. Retrieved from https://www.gibsondunn.com/doj-new-frontier-regulation-oversight-and-enforcement-of-ex-us-data-transfers/

Lathrop GPM. (2025, April 2). New DOJ Limits on Cross-Border Data Transfers Prompt Assessment by Businesses. Retrieved from https://www.lathropgpm.com/insights/new-doj-limits-on-cross-border-data-transfers-prompt-assessment-by-businesses/

Littler. (2025, April 14). DOJ Rule Implementing Executive Order 14117 Regulating Cross-Border Data Transfers Takes Effect. Retrieved from https://www.littler.com/news-analysis/asap/doj-rule-implementing-executive-order-14117-regulating-cross-border-data

Wiley Rein. (2025, April 3). Update: DOJ and CISA Issue New National Security Program to Regulate Foreign Access to Sensitive Data. Retrieved from https://www.wiley.law/alert-Update-DOJ-and-CISA-Issue-New-National-Security-Program-to-Regulate-Foreign-Access-to-Sensitive-Data

WilmerHale. (2025, April 18). DOJ Issues Guidance for New Data Security Program. Retrieved from https://www.wilmerhale.com/en/insights/client-alerts/20250418-doj-issues-guidance-for-new-data-security-program

April Noel
Next

Protect American Healthcare: Why We Must Act Now on Tariffs