Department of Justice Bulk Sensitive Personal Data Transfer Rule (28 CFR Part 202) 

This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.

Overview 

On February 28, 2024, President Biden signed Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” This order, implemented through the Department of Justice (DOJ) regulations (28 C.F.R. Part 202) and Cybersecurity and Infrastructure Security Agency (CISA) requirements, creates sweeping new restrictions on the transfer of Americans’ health data to certain foreign countries and entities. 

For healthcare organizations working with international partners, offshore vendors, or using artificial intelligence, these national security rules add a new layer of compliance—beyond HIPAA—most notably for sensitive personal data shared across borders. Even data that is de-identified in accordance with HIPAA may still be regulated under these new national security rules if it meets the DOJ’s “bulk” thresholds. The final rule took effect on April 8, 2025, with enforcement of some obligations delayed until later in 2025. 

What’s New and Why It Matters 

While HIPAA protects against unauthorized disclosure of protected health information (PHI) across domestic and international contexts, Executive Order 14117 and the DOJ rule specifically target bulk data transfers of sensitive data to designated countries and persons, focusing on national security risks. 

What is “Bulk” Data? 

Data is considered “bulk” if it exceeds specific volume thresholds within a 12-month period.¹ Key categories (and associated volume thresholds) for healthcare organizations include: 

• Personal Health Data:² Information about an individual’s physical or mental health, healthcare provided to an individual, or payment for healthcare to an individual (more than 10,000 U.S. persons. 

• Genomic and Other ‘Omic Data:³ Human genomic data (over 100 U.S. persons) and other ‘omic data (over 1,000 U.S. persons), including genetic and epigenomic results, are highly restricted, with most transfers to countries of concern prohibited. 

• Biometric Identifiers:⁴ Facial recognition data, fingerprints, and other biometric information (more than 1,000 U.S. persons). 

Who is Restricted? 

• “Countries of Concern”: The regulations identify six “countries of concern”: China, (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela.⁵ 

• “Covered persons”: 

1. Foreign entities that are organized under, principally based in, or 50% or more owned by a country of concern or another covered person; 

2. Foreign individuals primarily residing in a country of concern; 

3. Foreign employees or contractors of a covered person or of a government of a country of concern; and 

4. Persons or organizations designated by the Attorney General.⁶ 

What Transactions are Prohibited or Restricted? 

• Prohibited Transactions: The regulations prohibit data brokerage transactions (e.g., selling or licensing data) providing countries of concern or covered persons with access to bulk U.S. sensitive personal data, any transactions involving sharing of bulk human ‘omic data or human biospecimens with covered persons, and certain brokerage with potential onward transfer⁷—unless authorized by a DOJ specific or general license. When engaging in data brokerage with any foreign person who is not a covered person, companies must include contractual provisions prohibiting subsequent transfers to countries of concern or covered persons.⁸ 

• Restricted Transactions: Restricted transactions are permitted but only with appropriate security measures in place.⁹ Vendor,¹⁰ employment,¹¹ and investment agreements¹² that involve covered persons accessing bulk U.S. sensitive personal data and would otherwise be prohibited are conditionally permitted if parties implement CISA Security Requirements and meet DOJ due diligence and audit requirements. 

Healthcare-Specific Exemptions 

The regulations include several important exemptions for healthcare operations, including exemptions for drug/biologic/medical device authorizations¹³ and clinical investigations/post-market surveillance.¹⁴ However, these exemptions have strict requirements.¹⁵ Even de-identified, pseudonymized, or encrypted data can be covered if bulk thresholds and transaction rules are met. 

Security Requirements 

Organizations engaging in restricted transactions must comply with CISA’s security requirements.¹⁶ At the organizational and system level, entities must maintain comprehensive asset inventory and management practices, implement timely vulnerability remediation, enforce multifactor authentication, and conduct thorough data risk assessments, among other requirements. Organizations must also implement data level protections that effectively prevent unauthorized access to data, such as data minimization and masking techniques to reduce exposure. They must also thoroughly encrypt sensitive information during both transit and storage, establish secure key management so that covered persons cannot access encryption keys, and use privacy-enhancing technologies to protect data while it is being processed. 

Why This Matters for Healthcare Organizations 

If your organization uses or is considering offshore resources, due diligence and careful compliance analysis are essential. For example: 

1. International Clinical Trials: Healthcare organizations conducting multi-national clinical trials with sites in countries of concern must evaluate whether their data sharing practices are exempt or need modification. 

2. Offshore IT Support and Development: Offshore IT support or development resources in restricted countries may constitute restricted “employment agreements” or “vendor agreements” that require additional security. 

3. Cloud Services: Healthcare providers must ensure their cloud vendors block access for covered persons, including during system administration or maintenance. 

4. Artificial Intelligence: The rule’s data brokerage definition turns on whether a transaction provides access to bulk U.S. sensitive personal data. If an AI model can reproduce training data with sensitive personal information, licensing or giving access to a covered person may be considered a prohibited data brokerage transaction. All AI licensing requires careful due diligence.¹⁷ 

Penalties 

Violations may result in civil penalties up to the greater of (a) $377,700 per violation (as adjusted annually), or (b) or twice the value of the transaction that gave rise to the violation. Willful violations can result in criminal fines of up to $1,000,000 and imprisonment for up to 20 years for individuals.¹⁸ 

Key Takeaways

Executive Order 14117 and the DOJ rule represent a paradigm shift in health data protection. Healthcare organizations must carefully evaluate all international data sharing, vendor, and technology relationships—especially those involving offshore resources—to ensure compliance with these new national security requirements. 

Contact us

For further details or additional information, please contact Noreen Vergara or another member of the Husch Blackwell Healthcare Privacy and Security Work Group.

---

1. 28 C.F.R. § 202.205. ↩︎
2. 28 C.F.R. § 202.241. ↩︎
3. 28 C.F.R. § 202.224. ↩︎
4. 28 C.F.R. § 202.204. ↩︎
5. 28 C.F.R. § 202.601(a). ↩︎
6. 28 C.F.R. § 202.211. ↩︎
7. 28 C.F.R. §§ 202.301, 202.303. ↩︎
8. Id. ↩︎
9. 28 C.F.R. § 202. 401. ↩︎
10. 28 C.F.R. § 202.258. ↩︎
11. 28 C.F.R. § 202.217. ↩︎
12. 28 C.F.R. § 202.228. ↩︎
13. 28 C.F.R. § 202.510. ↩︎
14. 28 C.F.R. § 202.511. ↩︎
15. 28 C.F.R. § 202.1101. ↩︎
16. Cybersecurity & Infrastructure Sec. Agency, Security Requirements for Restricted Transactions E.O. 14117 Implementation (Jan. 2025), https://www.cisa.gov/sites/default/files/2025-01/Security_Requirements_for_Restricted_Transaction-EO_14117_Implementation508.pdf. ↩︎
17. 28 C.F.R. § 202.301(b)(1). ↩︎
18. 28 C.F.R. § 202.1301. ↩︎