Health Data Regulations Expand, Create Compliance Obstacles

---

ANALYSIS Published

24 April 2026

Subscribe to IAPP Newsletters

Contributors:

Kate Black

Partner

Kelley Drye & Warren, LLP

Mason Fitch

CIPP/US, FIP

Special Counsel

Kelley Drye & Warren LLP

---

Over the past three years, federal and state regulations designed to prevent foreign adversary nations from accessing, storing or processing American health and genomic data have expanded into a multilayered framework.

The U.S. Department of Justice's Bulk Sensitive Data Rule, state data laws in Florida, Texas and Utah — with pending legislation in additional states — collectively impose data localization mandates, remote access bans and equipment restrictions, yet these regimes remain largely unaligned.

For life sciences companies, clinical laboratories, telehealth platforms and consumer health brands, the question is no longer whether these obligations apply, but how many apply simultaneously and where internal resources should be allocated.

The regulatory landscape: Enacted laws

The U.S. Department of Justice's Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern. **** Effective 8 April and enforceable 6 Oct. 2025, **** the DOJ rule, Executive Order 14117, protects U.S. sensitive personal data, including health, genomic and biometric data as well as biospecimens, by restricting access by a "country of concern" — China, Cuba, Iran, North Korea, Russia or Venezuela — or a "covered person" linked to those countries.

Companies in scope must maintain a written data compliance program including due diligence, risk-based reviews, auditing and recordkeeping for at least 10 years.

Florida Electronic Health Records Exchange Act. Effective 1 July 2023, this law requires Florida health care providers using certified EHR technology to ensure that all patient information stored offsite, including through third-party vendors or cloud providers, is physically maintained in the continental U.S., its territories or Canada.

The Texas Genomic Act of 2025. Effective 1 Sept. 2025, **** HB 130 prohibits any company, medical facility, research facility or nonprofit from using genome sequencers or sequencing-related software produced by or on behalf of a foreign adversary, including subsidiaries and affiliates.

All genome sequencing data of Texas residents must be stored within the U.S. and made inaccessible to anyone within a foreign adversary's borders. The law requires annual compliance certification to the attorney general and creates a private right of action.

Utah Genetic Information Amendments . Effective 1 Jan. 2028, with penalties enforceable 1 May 2028, **** HB 182 **** bans genetic sequencers and operational or research software produced by or affiliated with foreign adversaries and prohibits storage of genetic data within adversary borders. Prohibited equipment must be removed or permanently disabled and replaced with compliant alternatives.

Comparing the four regimes

Scope and data types. The DOJ rule casts the widest net, covering any U.S. person or entity in transactions involving health data — more than 10,000 records, biometric data — 1,000-plus records, genomic data —  more than 100 records, and biospecimens.

Texas and Utah focus specifically on genome and genetic sequencing data, primarily regulating companies, medical facilities, research organizations and nonprofits.

Florida's EHR Exchange Act covers all qualified electronic health record data but is limited to Florida-licensed providers using certified EHR technology.

Equipment and software restrictions. The DOJ rule and Florida EHR Exchange Act do not ban specific hardware or software.

Texas prohibits genome sequencers and sequencing-related software produced by or on behalf of a foreign adversary, including subsidiaries and affiliates.

Utah goes further, requiring that prohibited genetic sequencers and operational or research software be physically removed or permanently disabled and replaced with compliant alternatives.

Data storage and foreign adversary designations. The DOJ rule treats any agreement giving a country of concern access to bulk U.S. sensitive personal data as a restricted "covered data transaction."

Texas requires U.S.-based storage with data inaccessible to anyone within foreign adversary borders. Utah similarly prohibits storage within adversary borders. Florida permits storage in the continental U.S., its territories or Canada.

All four laws target the same six foreign adversary nations — China, Cuba, Iran, North Korea, Russia and Venezuela — except Florida, which relies on a general geographic mandate rather than designating specific countries.

Enforcement and penalties. Texas is the only law that creates a private right of action, allowing individuals to seek up to USD5,000 per violation, while also empowering the attorney general to pursue up to USD10,000 per violation.

The DOJ rule carries the most severe consequences: civil penalties up to approximately USD377,700 and criminal penalties up to USD1 million and 20 years imprisonment.

Utah provides USD10,000 per violation plus actual damages, but enforcement rests solely with the attorney general. Florida relies on disciplinary action by the Agency for Health Care Administration.

Certification and compliance reporting. The DOJ rule requires annual internal compliance program audits, with certification requirements varying by transaction type.

Texas mandates annual certification, prepared by an attorney, submitted to the attorney general by 31 Dec. each year. Utah requires a sworn statement by 31 Dec. 2028, with recertification every 10 years thereafter. Florida requires attestation under penalty of perjury at the time of licensure or renewal.

Practical compliance roadmap for life sciences, health care and consumer health organizations

These laws may seem narrow or inapplicable on their face, but likely have significant impact for most health, life science and biotech companies.

For example, both a nationwide telehealth platform — that may also offer a consumer genetic test — and a life sciences company — that may operate clinical laboratories in Texas and Florida, conducts clinical trials generating genomic data, and/or markets a consumer genetic product — are both likely subject to all of these four regimes simultaneously.

Organizations should:

Determine which laws apply. Map operations, data flows and patient populations against each law's jurisdictional triggers, including any vendor or collaborator relationships with entities linked to foreign adversary countries.

Verify data storage and access controls. Conduct an independent review of where health and genomic data is physically stored and who has remote access, encompassing primary repositories, backup locations, cloud infrastructure and any offshore support teams.

Analyze research and clinical trial exceptions. The DOJ rule includes limited exemptions for clinical research and regulatory approvals; Texas provides a narrow exception for HIPAA-defined research. Determine whether any exceptions apply and document them.

Audit equipment and software supply chains. Inventory all genome sequencing hardware and software, tracing each item's manufacturer, country of production and corporate parentage to identify foreign adversary links. Texas requires immediate cessation of use; Utah will require removal or replacement by 1 Jan. 2028.

Update vendor contracts. Incorporate required federal and **** state provisions into vendor agreements. Require periodic recertification of vendor compliance, conduct risk-based audits of high-risk vendors and maintain records sufficient to support Texas's annual attorney general certification and the DOJ rule's 10-year recordkeeping requirement.

Address Texas-specific litigation risk. Companies processing genomic data of Texas residents should quantify exposure, evaluate insurance coverage for statutory damages and ensure compliance is robust enough to defend against potential suits.

The outlook: Pending state legislation

State-level action is accelerating. In early 2026, several additional states introduced or advanced similar legislation, including West Virginia's proposed Genomic Information Privacy Act, requiring biometric privacy and genetic and genomic data protections, Wisconsin's House Bill 673 which would ban the use of genetic software from foreign adversaries in medical and research facilities, and Virginia's HB685 on genetic sequencing.

Companies that invest in compliance infrastructure now will be prepared not only for today's requirements, but for the additional state laws that are all but certain to follow.

This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.

Submit for CPEs

Contributors:

Kate Black

Partner

Kelley Drye & Warren, LLP

Mason Fitch

CIPP/US, FIP

Special Counsel

Kelley Drye & Warren LLP

Tags:

Enforcement Law and regulation Program management Health care Privacy

Related Stories

### When health data lives everywhere: Rethinking privacy outside the EHR 31 March 2026

ANALYSIS

### Is a HIPAA-style de-identification standard emerging in US state laws? 26 Nov. 2025

OPINION

### Trying to make sense of health privacy 25 Nov. 2025

OPINION

### Notes from the IAPP Canada: The IAPP Canada Symposium 2026 is almost here 24 April 2026

OPINION