Well before the latest government shutdown, the U.S. Department of Justice’s National Security Division (DOJ NSD) issued a final rule at 28 CFR Part 202 (“2025 Final Rule” or “Rule”) to help prevent “countries of concern” or “covered persons” from accessing U.S. government-related data and Americans’ bulk sensitive personal data. The 2025 Final Rule took effect in April—and after a 90-day safe harbor period, the DOJ began enforcement on July 8.
Six months after implementation—with the U.S. Senate now passing the BIOSECURE Act restricting certain biotech business with China—compliance remains the key for affected stakeholders, including those exchanging personal health data. As we reported in July, the 2025 Final Rule implemented the prior administration’s Executive Order 14117 of February 28, 2024, by prohibiting and restricting “bulk” data transactions with countries that could threaten U.S. national security through the use of Americans’ sensitive personal data.
While the 2025 Final Rule remains largely untested, federal agencies and stakeholders alike have taken action to test the bounds of the Rule and, in some instances, expand applicability beyond 28 CFR Part 202. Below is a brief refresher of the key elements of the Rule and some recent developments.
Blog Editors
Recent Updates
- HHS OIG Issues Favorable Advisory Opinion Regarding Surgical Supply Discounts to Ambulatory Surgery Centers in Exchange for Software Purchases
- Health Care Workplace Violence Legislation Heats Up in 2026
- DOGE's Attempt to Crowdsource Medicaid Fraud Scrutiny: Is This the Future of Healthcare Fraud Investigations?
- Feds vs. the States: Dr. Mehmet Oz Announces an Investigation Into New York’s Medicaid Program
- U.S. Supreme Court to Weigh Induced Infringement Case Regarding ‘Generic Version of Vascepa®’