Skip to Content
Client Payment

Events In the News

Department of Justice (DOJ) Data Security Program—The Impact on Your Organization

on Tuesday, 30 September 2025 in Health Law Alert: Kristin N. Lindgren, Editor

In a recent Health Law Alert, we briefly discussed the U.S. Department of Justice (DOJ) National Security Division’s data security program (DSP), emphasizing the focus on the health care information and data security environment.  The DSP went into effect on April 8, 2025, however, DOJ did not prioritize enforcement from April 8 through July 8, 2025 so long as entities were engaging in reasonable efforts to comply with the new requirements.  The grace period has now ended, and organizations are expected to be compliant with the DSP for the bulk transfer of certain sensitive personal information to certain foreign nations, individuals and entities.

In its simplest form, the DSP either prohibits or restricts a U.S. person from entering into a covered transaction with a covered person or a country of concern. There are many nuances to the DSP, but we touch on the parts of the rule impacting health care entities the most.

A covered transaction includes a transaction involving access by a country of concern or covered person to any government-related data or bulk U.S. sensitive personal data (defined below) that involves (i) data brokerage; (ii) vendor agreements; (iii) employment agreements; or (iv) an investment agreement. Bulk U.S. sensitive personal data includes (even if de-identified) the following categories and thresholds:

  • Human genomic data 100 U.S. persons
  • Human epigenomic data 1,000 U.S. persons
  • Human proteomic data 1,000 U.S. persons
  • Human transcriptomic data 1,000 U.S. persons
  • Biometric identifiers 1,000 U.S. persons
  • Precise geolocation data 1,000 U.S. devices
  • Personal health data 10,000 U.S. persons
  • Personal financial data 10,000 U.S. persons
  • Covered personal identifiers 100,000 U.S. persons

In cases where there is combined data regarding the above, the lowest applicable threshold that is met for a specific category will apply to the data set.

If the transaction meets the requirements above and is considered a covered transaction, the transaction must also be with a covered person or country of concern to be subject to the DSP.  A covered person includes the following:

  • Foreign entities headquartered in or organized under the laws of a country of concern
  • Foreign entities 50% or more owned by a country of concern or covered person
  • Foreign individuals primarily resident in a country of concern
  • Foreign individuals who are employees or contractors of a covered person entity or a country-of -concern government

The countries of concern include:

  • China
  • Russia
  • Iran
  • Korea
  • Cuba
  • Venezuela

If a transaction meets the criteria above, then the DSP either prohibits or restricts the transaction. There are five categories of prohibited transactions.  Health care organizations will likely fall into the “restricted transactions” category, which might include vendor agreements and employment agreements that meet the requirements above. For example, a vendor agreement for cloud storage that utilizes an offsite data center in a country of concern.  Restricted transactions are prohibited unless the Cybersecurity and Infrastructure Security Agency (CISA) security requirements are met in addition to other requirements. Some of these requirements include:

  • Implementation and demonstration of compliance with security standards
  • Due diligence obligations
  • Annual audit requirements
  • Record retention requirements
  • Annual reports

Operating in violation of the DSP opens the door to civil and criminal penalties. Therefore, it is important for health care entities to know where data is stored and if a potential transaction is subject to the DSP.  Health care entities should focus on the following:

  • Evaluate company data to determine how the data is stored or processed flagging transactions (or data) that are potentially subject to the DSP.
  • Review vendor and employment contracts regarding offshoring language, specifically, language either allowing or prohibiting the other party to store data in a way that might violate the DSP. Keep in mind that accompanying business associate agreements might also contain an offshoring provision.
  • Unwind or amend existing agreements that either allow for offshoring or, in practice, store bulk data in a way that might violate the DSP.
  • Educate personnel responsible for negotiating vendor and employment agreements on the transactions covered by the DSP and any parameters for a restricted transaction.
Kristin N. Lindgren
back

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500

Law Firm Website Design