Photo of Neha Khan

Neha Khan

Neha focuses on healthcare regulatory and transactional matters, supporting clients with legal and compliance needs in a changing industry.

Contact:Read more about Neha Khan
Department of Justice Bulk Sensitive Personal Data Transfer Rule (28 CFR Part 202) 

This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.

Overview 

On February 28, 2024, President Biden signed Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” This order, implemented through the Department of Justice (DOJ) regulations (28 C.F.R. Part 202) and Cybersecurity and Infrastructure Security Agency (CISA) requirements, creates sweeping new restrictions on the transfer of Americans’ health data to certain foreign countries and entities. 

A new law, the Consolidated Appropriations Act, went into effect on February 3, 2026, issuing new Medicare reimbursement guidelines for off-campus provider-based hospital outpatient departments (HOPDs). As of January 1, 2028, hospitals will be required to make certain operational changes to maintain OPPS reimbursement eligibility for their off-campus provider-based locations. These include such measures as