The DOJ's new rule on cross-border data transfers is a game-changer for healthcare organizations. It aims to protect U.S. national security by regulating the handling of sensitive data, especially with six countries: China, Russia, Iran, North Korea, Cuba, and Venezuela. Effective since April 8, 2025, compliance became mandatory after a grace period ended on July 8, 2025, with full requirements enforced starting October 6, 2025.

Key points:

  • What’s Covered: Sensitive health data, including genomic data, biometric identifiers, and even de-identified or encrypted data, if bulk thresholds are met.
  • Who’s Affected: Healthcare organizations, vendors, and individuals tied to "countries of concern."
  • Penalties: Civil fines up to $377,700 per violation or double the transaction value; criminal fines up to $1,000,000 and 20 years imprisonment for willful violations.
  • Compliance Steps: Map data flows, update contracts, implement security controls, and maintain a 10-year documentation trail.

Takeaway: Healthcare leaders must act now to align their operations with these strict regulations to avoid penalties and protect sensitive data.

Covered Data and Thresholds for Healthcare Data

The Department of Justice (DOJ) rule applies when data volumes surpass specific "bulk" thresholds within a rolling 12-month period. These thresholds, particularly for healthcare data, might be lower than many organizations anticipate.

Data Category Bulk Threshold (12-Month Period)
Human Genomic Data > 100 U.S. persons
Human 'Omic Data (epigenomic, proteomic, transcriptomic) > 1,000 U.S. persons
Biometric Identifiers > 1,000 U.S. persons
Precise Geolocation Data > 1,000 U.S. devices
Personal Health Data > 10,000 U.S. persons
Personal Financial Data > 10,000 U.S. persons
Covered Personal Identifiers > 100,000 U.S. persons

The threshold for human genomic data - just 100 individuals - means that even a single research study could trigger compliance requirements. Additionally, the rule defines personal health data more broadly than the HIPAA standard for Protected Health Information (PHI). Elizabeth J. McEvoy of Epstein Becker Green highlights this distinction:

"Personal health data... is defined broadly as any information describing or relating to an individual's past, present, or future health condition - a designation broader than Protected Health Information ('PHI') under HIPAA." [8]

Importantly, these thresholds apply regardless of whether the data has been anonymized, pseudonymized, de-identified, or encrypted [2]. This broad scope underscores the rule's intent to capture a wide range of data under its jurisdiction.

Countries of Concern and Covered Persons

The rule identifies six "countries of concern": China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela. However, its reach extends further, encompassing entities and individuals outside these nations if they meet the "covered persons" criteria.

A "covered person" includes:

  • Any foreign entity that is 50% or more owned (directly or indirectly) by a country of concern
  • Any organization established under the laws of a country of concern
  • Foreign individuals primarily residing in these countries, including employees or contractors

Additionally, the U.S. Attorney General has the authority to designate other individuals or organizations [4][6].

One critical aspect of the rule is its broad definition of "access." Jenna Moore of Cooley LLP explains:

"Access is defined broadly under the rule to mean any logical or physical access without regard to whether security measures, such as access controls, actually deny access." [6]

This means healthcare organizations must not only monitor who views their data but also effectively manage third-party risk by assessing who could theoretically access it, even if safeguards are in place.

Prohibited, Restricted, and Exempt Transactions

The rule divides covered transactions into three categories, each with specific compliance requirements, reflecting the DOJ's focus on national security.

  • Prohibited: These transactions include selling or licensing bulk sensitive health data and granting access to bulk human genomic data [4][1].
  • Restricted: These are allowed only with stringent security measures, aligned with guidelines from the Cybersecurity and Infrastructure Security Agency (CISA). Required controls include multifactor authentication, encryption (both in transit and at rest), and secure key management. For example, an offshore IT support team in Iran managing an electronic health record (EHR) system would fall under this category. Organizations must retain documentation for at least 10 years [4][6].
  • Exempt: These transactions involve FDA-regulated clinical investigations, post-market surveillance studies, or data transfers for regulatory approval of drugs or medical devices. However, the data must be de-identified or pseudonymized, and these transactions also carry specific documentation requirements [4][6].

Failing to comply with these rules can lead to severe penalties. Civil penalties can reach up to $377,700 per violation or twice the transaction's value, whichever is greater. Criminal penalties for willful violations include fines of up to $1,000,000 and imprisonment for up to 20 years [7].

What In-House Counsel Should Know in Navigating the DOJ Bulk Data Access Rule

Compliance Timelines and Requirements

DOJ Cross-Border Data Rule: Compliance Timeline & Key Deadlines for Healthcare

DOJ Cross-Border Data Rule: Compliance Timeline & Key Deadlines for Healthcare

Implementation Phases and Key Dates

The Department of Justice (DOJ) rule introduces a phased approach, giving healthcare organizations a clear timeline to establish compliance. Knowing these deadlines and their specific requirements is essential to avoid penalties.

The rule officially went into effect on April 8, 2025, marking the start of a 90-day grace period. During this time, the DOJ emphasized good-faith efforts over enforcement. Christopher Parrella, Esq., of Parrella Health Law, explained:

"The DOJ has offered a 90-day grace period ending July 8, 2025. During this time, health care organizations making a good-faith effort to comply - such as conducting data audits or updating contracts - will not be a target for enforcement." - Christopher Parrella, Esq., Parrella Health Law

Once the grace period ended on July 8, 2025, full compliance became mandatory. As noted by Holland & Knight, "The 90-day period has expired, and the DOJ expects that individuals and entities be 'in full compliance with the DSP.'"

Another critical date is October 6, 2025, when additional requirements, such as formal due diligence, independent audits, and reporting procedures, become enforceable. Annual certifications, overseen by senior officials, also begin on this date.

Milestone Date Requirement
Rule Effective Date April 8, 2025 Data Security Program (DSP) framework takes effect
Grace Period End July 8, 2025 Full compliance with key prohibitions expected
Affirmative Obligations October 6, 2025 Independent audits, due diligence, and reporting procedures enforceable
Annual Certification October 6, 2025 (annually) Senior officials must certify the compliance program

With these deadlines in place, healthcare organizations must prioritize the creation and implementation of a compliant Data Security Program.

Data Security Program Requirements for Healthcare

Meeting the October 6, 2025, deadline requires healthcare organizations to establish a detailed and effective Data Security Program. Here are the key elements:

  • Data flow mapping: Document every instance of bulk personal health data access, including by offshore vendors, remote IT teams, and cloud providers. This should account for both physical and logical access, even when encryption or access controls are used.
  • Vendor screening: Evaluate all third-party partners against the DOJ's Covered Persons List. Update Business Associate Agreements and vendor contracts to explicitly prohibit transferring bulk sensitive data to countries of concern. As Christopher Parrella emphasized, "This is not just an IT issue - it implicates enterprise-wide operations."
  • Technical controls: Implement security measures aligned with CISA standards. These include multifactor authentication (MFA), encryption for data in transit and at rest, secure key management, and regular vulnerability assessments and remediation.
  • Program oversight: Appoint a senior employee to manage the Data Security Program and oversee annual compliance certifications.
  • Documentation retention: Maintain all compliance records - such as audit reports, due diligence documentation, and data transfer logs - for a minimum of 10 years.

Impact on Healthcare Data Transfers and Risk Management

National Security Risks in Cross-Border Healthcare Data Transfers

The Department of Justice (DOJ) rule highlights the serious risks tied to sensitive health data falling into the wrong hands, particularly when it comes to U.S. national security. These risks extend far beyond standard privacy concerns. If foreign adversaries gain access to bulk health data, it could be used for surveillance, espionage, counterintelligence, or even developing AI-driven military tools.

Certain types of human omic data - like genomic, epigenomic, proteomic, and transcriptomic data - are flagged as especially high-risk. This is due to their potential misuse in biological research or for identifying individuals.

"Sensitive personal data could be exploited by a country of concern or a covered person to harm U.S. national security if that data is linked or linkable to any identifiable U.S. individual or to a discrete and identifiable group of U.S. persons." - U.S. Department of Justice, National Security Division [2]

What’s important to note here is how this differs from HIPAA regulations. Under HIPAA, de-identified data is typically unrestricted. However, the DOJ rule places restrictions on de-identified, anonymized, pseudonymized, and even encrypted data if it meets bulk thresholds and involves a country of concern [2][6].

These national security considerations create direct challenges for healthcare providers, both strategically and operationally.

Operational Challenges for Healthcare Organizations

Healthcare organizations face significant hurdles as they work to comply with this rule.

Vendor relationships are a key area of concern. Many providers depend on offshore IT support, cloud services, or third-party analytics vendors. If these vendors employ staff residing in a country of concern - or are majority-owned by entities tied to one - they may qualify as "covered persons." Even something as simple as granting database access to such individuals could trigger a "covered transaction" under the rule’s broad definition of access [6].

International research partnerships are also under the microscope. For example, the NIH has banned the distribution of human biospecimens to countries of concern starting in October 2025. Meanwhile, the FDA is reviewing clinical trials that previously relied on regulatory approval exemptions [8]. Organizations conducting multi-site trials with international collaborators must now verify whether these partnerships still meet exemption criteria.

Cloud hosting arrangements add another layer of complexity. If a cloud vendor’s staff includes covered persons who could access bulk sensitive data, even with safeguards in place, compliance obligations may be triggered. Healthcare organizations must ensure their vendors block such access contractually and document these controls thoroughly [4].

How Cybersecurity and Risk Platforms Support Compliance

Navigating these challenges requires more than policy adjustments - healthcare organizations need robust tools to maintain compliance. This is where advanced cybersecurity and risk platforms come into play.

Censinet RiskOps™ is designed specifically for healthcare delivery organizations (HDOs) and their vendor networks. It enables effective third-party risk assessments, helping organizations screen vendors against covered persons criteria, implement CISA-mandated controls, and maintain the required 10-year audit trail for compliance [9][6]. Its AI-powered toolset, Censinet AI™, streamlines vendor security questionnaires and flags potential fourth-party risks - critical for verifying that a vendor’s subcontractors aren’t transferring bulk data to countries of concern.

For healthcare providers, automating due diligence and centralizing risk documentation are critical steps. These measures ensure compliance with the rule’s strict reporting and auditing requirements [9].

Conclusion and Key Takeaways

The latest rules from the DOJ bring significant changes to how healthcare organizations handle data, especially when it involves cross-border transfers. Let’s break down the most critical points and what leaders in the healthcare sector need to do next.

Summary of Key Compliance Points

The DOJ’s new rule introduces the Data Security Program (DSP), fundamentally altering the way U.S. healthcare entities manage data transfers across borders. Christopher Parrella, Esq. of Parrella Health Law, captures the magnitude of this change:

"This rule creates the Data Security Program (DSP), and with it, a seismic shift in how U.S. health care entities must handle cross-border data transfers." [3]

What sets this apart is its scope: the rule applies even to data that is anonymized, de-identified, or encrypted - marking a clear departure from HIPAA’s previous framework. Non-compliance carries steep penalties, including a significant economic impact of third-party risk. Civil violations could result in fines of up to $377,700 per violation or twice the transaction value, whichever is higher. Intentional violations are even more severe, with criminal fines reaching $1,000,000 and potential prison sentences of up to 20 years [4]. Additionally, organizations tied to Medicare, TRICARE, or defense health contracts may face exclusion from federal healthcare programs. These measures aim to protect not just legal compliance but also national security and patient trust.

Next Steps for Healthcare Leaders

With the enforcement grace period ending on July 8, 2025, and formal compliance requirements starting October 6, 2025 [5], healthcare organizations cannot afford delays. Leaders need to take immediate, actionable steps to align with the new standards:

  • Map your data: Identify where sensitive data is stored and who has access, including offshore vendors and IT personnel.
  • Revise contracts and agreements: Update BAAs, vendor contracts, and employment agreements to prohibit data transfers to restricted countries. Ensure all security controls are documented and retained for at least 10 years.
  • Secure ongoing transactions: Apply measures like multi-factor authentication (MFA), encryption, and timely vulnerability patching for restricted transactions.
  • Strengthen oversight: Appoint a senior compliance officer, establish a formal data security policy, and commit to annual independent audits.

To simplify compliance, platforms like Censinet RiskOps™ offer tools to streamline vendor screening, centralize audit documentation, and proactively identify risks from third and fourth parties. These tools can help organizations stay ahead of potential violations and maintain operational integrity.

FAQs

How can we determine if our data transfers meet the DOJ “bulk” thresholds?

To determine whether your data transfers exceed the Department of Justice (DOJ) bulk thresholds, it's essential to monitor the volume of specific data types sent to either countries of concern or individuals covered under these guidelines over a 12-month period. The thresholds are as follows:

  • Personal health or financial data: Transfers involving 10,000 or more U.S. persons.
  • Biometric, geolocation, or omic data: Transfers involving 1,000 or more U.S. persons or devices.
  • Genomic data: Transfers involving 100 or more U.S. persons.
  • Personal identifiers: Transfers involving 100,000 or more U.S. persons.

If multiple types of data are being transferred, the threshold for the data type with the lowest limit will apply.

Does the rule apply even if our health data is encrypted or de-identified?

Yes, this rule applies to health data even if it has been de-identified, anonymized, or encrypted. While these methods might align with other privacy laws like HIPAA, they don’t exempt the data from Department of Justice (DOJ) requirements if it surpasses bulk thresholds. Censinet RiskOps helps organizations stay compliant by simplifying risk assessments and maintaining a strong security posture to navigate cross-border data transfer regulations, no matter the state of the data.

What vendor or cloud access qualifies as a “covered transaction”?

Under the DOJ's final rule, a vendor agreement is considered a covered transaction if it involves a country of concern or a covered person gaining access to bulk U.S. sensitive personal data or government-related data. This applies to various agreements, such as those for cloud hosting, IT support, software subscriptions, and data analytics. Censinet RiskOps supports healthcare organizations in addressing these risks by providing tools for comprehensive assessments and continuous monitoring of third-party data access, ensuring compliance with stringent security requirements.

Related Blog Posts