Well before the latest government shutdown, the U.S. Department of Justice’s National Security Division (DOJ NSD) issued a final rule at 28 CFR Part 202 (“2025 Final Rule” or “Rule”) to help prevent “countries of concern” or “covered persons” from accessing U.S. government-related data and Americans’ bulk sensitive personal data. The 2025 Final Rule took effect in April—and after a 90-day safe harbor period, the DOJ began enforcement on July 8.
Six months after implementation—with the U.S. Senate now passing the BIOSECURE Act restricting certain biotech business with China—compliance remains the key for affected stakeholders, including those exchanging personal health data. As we reported in July, the 2025 Final Rule implemented the prior administration’s Executive Order 14117 of February 28, 2024, by prohibiting and restricting “bulk” data transactions with countries that could threaten U.S. national security through the use of Americans’ sensitive personal data.
While the 2025 Final Rule remains largely untested, federal agencies and stakeholders alike have taken action to test the bounds of the Rule and, in some instances, expand applicability beyond 28 CFR Part 202. Below is a brief refresher of the key elements of the Rule and some recent developments.
Blog Editors
Recent Updates
- Medicaid Behavioral Health Investigations and Payment Suspensions in D.C. Are Increasing – How Providers Can Limit Risk
- ‘Emilie’ Is Not a Psychiatrist: Pennsylvania Board of Medicine Alleges Unlawful Practice of Medicine by an AI Chatbot
- DOJ’s West Coast Strike Force to Target Health Care Fraud in Arizona, Nevada, and Northern California
- DOJ FOCUS Initiative Prioritizes “High Quality” Data Miner Actions by FCA Whistleblowers
- FDA Proposal Would Leave Semaglutide, Tirzepatide, and Liraglutide Off 503B Bulks List