March 4, 2026

New DOJ Regulations on Bulk Sensitive Personal Data Transfers

Kela Feldman, Neha Khan Husch Blackwell LLP + Follow Contact LinkedIn Facebook X Send Embed

Department of Justice Bulk Sensitive Personal Data Transfer Rule (28 CFR Part 202)

This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.

Overview

On February 28, 2024, President Biden signed Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” This order, implemented through the Department of Justice (DOJ) regulations (28 C.F.R. Part 202) and Cybersecurity and Infrastructure Security Agency (CISA) requirements, creates sweeping new restrictions on the transfer of Americans’ health data to certain foreign countries and entities.

For healthcare organizations working with international partners, offshore vendors, or using artificial intelligence, these national security rules add a new layer of compliance—beyond HIPAA—most notably for sensitive personal data shared across borders. Even data that is de-identified in accordance with HIPAA may still be regulated under these new national security rules if it meets the DOJ’s “bulk” thresholds. The final rule took effect on April 8, 2025, with enforcement of some obligations delayed until later in 2025.

What’s New and Why It Matters

While HIPAA protects against unauthorized disclosure of protected health information (PHI) across domestic and international contexts, Executive Order 14117 and the DOJ rule specifically target bulk data transfers of sensitive data to designated countries and persons, focusing on national security risks.

What is “Bulk” Data?

Data is considered “bulk” if it exceeds specific volume thresholds within a 12-month period. 1 Key categories (and associated volume thresholds) for healthcare organizations include:

• Personal Health Data: 2 Information about an individual’s physical or mental health, healthcare provided to an individual, or payment for healthcare to an individual (more than 10,000 U.S. persons.

• Genomic and Other ‘Omic Data: 3 Human genomic data (over 100 U.S. persons) and other ‘omic data (over 1,000 U.S. persons), including genetic and epigenomic results, are highly restricted, with most transfers to countries of concern prohibited.

• Biometric Identifiers: 4 Facial recognition data, fingerprints, and other biometric information (more than 1,000 U.S. persons).
  Who is Restricted?

• “Countries of Concern”: The regulations identify six “countries of concern”: China, (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela. 5

• “Covered persons”:

1. Foreign entities that are organized under, principally based in, or 50% or more owned by a country of concern or another covered person;

2. Foreign individuals primarily residing in a country of concern;

3. Foreign employees or contractors of a covered person or of a government of a country of concern; and

4. Persons or organizations designated by the Attorney General. 6
   What Transactions are Prohibited or Restricted?

• Prohibited Transactions: The regulations prohibit data brokerage transactions (e.g., selling or licensing data) providing countries of concern or covered persons with access to bulk U.S. sensitive personal data, any transactions involving sharing of bulk human ‘omic data or human biospecimens with covered persons, and certain brokerage with potential onward transfer 7 —unless authorized by a DOJ specific or general license. When engaging in data brokerage with any foreign person who is not a covered person, companies must include contractual provisions prohibiting subsequent transfers to countries of concern or covered persons. 8

• Restricted Transactions: Restricted transactions are permitted but only with appropriate security measures in place. 9 Vendor, 10 employment, 11 and investment agreements 12 that involve covered persons accessing bulk U.S. sensitive personal data and would otherwise be prohibited are conditionally permitted if parties implement CISA Security Requirements and meet DOJ due diligence and audit requirements.
  Healthcare-Specific Exemptions

The regulations include several important exemptions for healthcare operations, including exemptions for drug/biologic/medical device authorizations 13 and clinical investigations/post-market surveillance. 14 However, these exemptions have strict requirements. 15 Even de-identified, pseudonymized, or encrypted data can be covered if bulk thresholds and transaction rules are met.

Security Requirements

Organizations engaging in restricted transactions must comply with CISA’s security requirements. 16 At the organizational and system level, entities must maintain comprehensive asset inventory and management practices, implement timely vulnerability remediation, enforce multifactor authentication, and conduct thorough data risk assessments, among other requirements. Organizations must also implement data level protections that effectively prevent unauthorized access to data, such as data minimization and masking techniques to reduce exposure. They must also thoroughly encrypt sensitive information during both transit and storage, establish secure key management so that covered persons cannot access encryption keys, and use privacy-enhancing technologies to protect data while it is being processed.

Why This Matters for Healthcare Organizations

If your organization uses or is considering offshore resources, due diligence and careful compliance analysis are essential. For example:

1. International Clinical Trials: Healthcare organizations conducting multi-national clinical trials with sites in countries of concern must evaluate whether their data sharing practices are exempt or need modification.

2. Offshore IT Support and Development: Offshore IT support or development resources in restricted countries may constitute restricted “employment agreements” or “vendor agreements” that require additional security.

3. Cloud Services: Healthcare providers must ensure their cloud vendors block access for covered persons, including during system administration or maintenance.

4. Artificial Intelligence: The rule’s data brokerage definition turns on whether a transaction provides access to bulk U.S. sensitive personal data. If an AI model can reproduce training data with sensitive personal information, licensing or giving access to a covered person may be considered a prohibited data brokerage transaction. All AI licensing requires careful due diligence. 17
   Penalties

Violations may result in civil penalties up to the greater of (a) $377,700 per violation (as adjusted annually), or (b) or twice the value of the transaction that gave rise to the violation. Willful violations can result in criminal fines of up to $1,000,000 and imprisonment for up to 20 years for individuals. 18

Key Takeaway s

Executive Order 14117 and the DOJ rule represent a paradigm shift in health data protection. Healthcare organizations must carefully evaluate all international data sharing, vendor, and technology relationships—especially those involving offshore resources—to ensure compliance with these new national security requirements.

1. 28 C.F.R. § 202.205. ↩︎
2. 28 C.F.R. § 202.241. ↩︎
3. 28 C.F.R. § 202.224. ↩︎
4. 28 C.F.R. § 202.204. ↩︎
5. 28 C.F.R. § 202.601(a). ↩︎
6. 28 C.F.R. § 202.211. ↩︎
7. 28 C.F.R. §§ 202.301, 202.303. ↩︎
8. Id. ↩︎
9. 28 C.F.R. § 202. 401. ↩︎
10. 28 C.F.R. § 202.258. ↩︎
11. 28 C.F.R. § 202.217. ↩︎
12. 28 C.F.R. § 202.228. ↩︎
13. 28 C.F.R. § 202.510. ↩︎
14. 28 C.F.R. § 202.511. ↩︎
15. 28 C.F.R. § 202.1101. ↩︎
16. Cybersecurity & Infrastructure Sec. Agency, Security Requirements for Restricted Transactions E.O. 14117 Implementation (Jan. 2025), https://www.cisa.gov/sites/default/files/2025-01/SecurityRequirementsforRestrictedTransaction-EO14117Implementation508.pdf. ↩︎
17. 28 C.F.R. § 202.301(b)(1). ↩︎
18. 28 C.F.R. § 202.1301. ↩︎ [View source.]

Send Print Report

Related Posts

• EU Court Upholds Data Privacy Framework Despite Challenge: Implications for Transatlantic Data Transfers
• EDPB Issues Draft Guidelines on Interplay Between GDPR’s Jurisdictional Scope and Cross-Border Data Transfer Requirements
• Analyzing The EDPB And EDPS’s Joint Opinion On Draft Cross-Border Transfer SCCs From A U.S. Entity Perspective

Latest Posts

• Some Recent Motions for Unitary Status Seem to Be Facing Less Careful Scrutiny
• New DOJ Regulations on Bulk Sensitive Personal Data Transfers See more »

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
Attorney Advertising.

©
Husch Blackwell LLP

Written by:

Husch Blackwell LLP Contact + Follow Kela Feldman + Follow Neha Khan + Follow more less

What do you want from legal thought leadership?

Please take our short survey – your perspective helps to shape how firms create relevant, useful content that addresses your needs:

Take the survey now »

Published In:

Artificial Intelligence + Follow Biometric Information + Follow Cross-Border Transactions + Follow Cybersecurity + Follow Data Brokers + Follow Data Privacy + Follow Data Protection + Follow Data Security + Follow Department of Justice (DOJ) + Follow Executive Orders + Follow Final Rules + Follow Healthcare + Follow International Data Transfers + Follow National Security + Follow New Regulations + Follow Personal Data + Follow Sensitive Personal Information + Follow Health + Follow International Trade + Follow Privacy + Follow more less

Husch Blackwell LLP on:

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra: Sign Up Log in ** By using the service, you signify your acceptance of JD Supra's Privacy Policy.* - hide - hide