Categories: Cybersecurity, FDA, Health Information Technology, Privacy and Security Law, State and Federal Regulatory Issues

Well before the latest government shutdown, the U.S. Department of Justice’s National Security Division (DOJ NSD) issued a final rule at 28 CFR Part 202 (“2025 Final Rule” or “Rule”) to help prevent “countries of concern” or “covered persons” from accessing U.S. government-related data and Americans’ bulk sensitive personal data.

The 2025 Final Rule took effect in April—and after a 90-day safe harbor period, the DOJ began enforcement on July 8.

Six months after implementation—with the U.S. Senate now passing the BIOSECURE Act restricting certain biotech business with China—compliance remains the key for affected stakeholders, including those exchanging personal health data. As we reported in July, the 2025 Final Rule implemented the prior administration’s Executive Order 14117 of February 28, 2024, by prohibiting and restricting “bulk” data transactions with countries that could threaten U.S. national security through the use of Americans’ sensitive personal data.

While the 2025 Final Rule remains largely untested, federal agencies and stakeholders alike have taken action to test the bounds of the Rule and, in some instances, expand applicability beyond 28 CFR Part 202. Below is a brief refresher of the key elements of the Rule and some recent developments.

Applicability

A substantial portion of the 2025 Final Rule became effective April 8, 2025, requiring all impacted individuals and entities to comply or make good faith efforts to come into compliance on that date. Other provisions, including those requiring adoption of internal compliance efforts for restricted transactions, only recently took effect on October 6, 2025.

April 8 Start Date

As we explained in our previous post, “covered persons” under the 2025 Final Rule are generally foreign persons or entities accessing bulk U.S. sensitive personal data or government-related data who are also connected to “countries of concern”—currently China, Iran, North Korea, Russia, Venezuela, and Cuba. This connection could be triggered, for example, through majority ownership, employee or contractor status, or primary residence. A “covered person” can also be any person determined by the U.S. attorney general to be connected to a country of concern in certain ways. Most of the 2025 Final Rule took effect on April 8, 2025.

The 2025 Final Rule applies to transactions containing the following three elements:

  • A covered data transaction;
  • Involving any bulk U.S. sensitive personal data or any government-related data; and
  • Providing a “country of concern” or “covered person” with “access” to such controlled data.

Regarding covered data transactions, the transaction must involve one or more of the following, as defined in the rule:

  • A data brokerage;
  • A vendor agreement;
  • An employment agreement; or
  • An investment agreement.

Whether a transaction involves “bulk” data is determined based on the type of data and whether the transfer of data meets or exceeds the corresponding volume thresholds for the specific category of data. One of the most common categories of data governed by the Rule is the exchange of personal health data, which is defined broadly as any information describing or relating to an individual's past, present, or future health condition—a designation broader than Protected Health Information (“PHI”) under HIPAA. Transferring personal health information of more than 10,000 U.S. persons, within the preceding 12-month period (applying to both single and aggregated transactions), to a country of concern or covered person is expressly prohibited unless the transfer fits within a recognized exemption.

October 6 Start Date

The 2025 Final Rule contained three exceptions to the April 8 start date for enforcement of the affirmative obligations: (1) under Subpart J, relating to due diligence and audit requirements for restricted transactions; (2) Section 202.1103, relating to reporting requirements for certain restricted transactions; and (3) Section 202.1104, relating to reports on rejected prohibited transactions. Entities and individuals were required to comply with those three provisions as of October 6, 2025.

Due Diligence and Audit Requirements: October 6 Start Date

By now, U.S. persons engaging in “restricted transactions” should be in the process of developing and implementing a data compliance program that addresses the organization’s risk profile, and as of October 6, 2025, conducting required internal audits as proscribed by the Rule.   

A “restricted transaction” includes covered data transactions involving employment, vendor, or investment agreements with a country of concern or a covered person. U.S. persons engaging in these transactions would have to comply with (1) the Cybersecurity and Infrastructure Agency (or CISA) Security Requirements for Restricted Transactions; (2) data compliance program and audit requirements as described by Subpart J; and (3) the specific recordkeeping requirements of Section 202.1101 as they pertain to restricted transactions.

Federal Agency Reactions and Scrutiny of U.S. Biospecimens

The 2025 Final Rule carves out two significant exemptions for clinical research activities, for: (1) Drug, biological product, and medical device authorizations (§ 202.510); and (2) clinical investigations and post-marketing surveillance data (§ 202.511). Section 202.510 exempts the sharing of U.S. sensitive personal data if the data include regulatory approval data required to obtain or maintain regulatory authorization, including in a country of concern. Section 202.511 similarly exempts bulk data transactions incident to and part of clinical investigations required to obtain or maintain FDA approval, including post-market surveillance and safety monitoring. The inclusion of these two broad exemptions provided a road map for clinical research organizations seeking to continue cross-border business relationships in navigating the regulatory approval process for drugs and devices.

But the U.S. Food and Drug Administration (FDA) recently foreshadowed that cross-border clinical research involving U.S. persons would not continue with “business as usual.” The FDA announced in June that it would immediately review new clinical trials that “involve sending American citizens’ living cells to China and other hostile countries for genetic engineering and subsequent infusion back into U.S. patients—sometimes without their knowledge or consent.”

The agency blamed the 2025 Final Rule exemptions, including Section 202.511, for American DNA being sent abroad without the knowledge or understanding of trial participants. Although the DOJ’s 2025 Final Rule commentary already directs that this exemption be construed narrowly, the FDA appears to be encouraging clinical trial sponsors not to rely on the Section 202.511 exemption, even if doing so would otherwise be permissible under the Data Security Program (DSP).

“The FDA is actively reviewing all relevant clinical trials that relied on this exemption and will require companies to demonstrate full transparency, ethical consent, and domestic handling of sensitive biological materials,” the announcement says. “New trials that cannot meet these standards will not proceed.”

Similarly, a September 24, 2025, policy change at the National Institutes of Health (NIH) regarding enhanced security measures for human biospecimens, citing the 2025 Final Rule, will prohibit NIH awardees from “directly or indirectly distributing the human biospecimens to institutions or parties located in countries of concern,” which notably include China. The NIH policy applies to all human clinical and research biospecimens, but excludes cell lines derived from human biospecimens obtained from U.S. persons (regardless of identifiability) that are collected, obtained, stored, used, or distributed and that are supported or funded – in any part – by any on-going or new NIH funding mechanisms regardless of NIH funding level. This policy is effective October 24, 2025.

Litigation

Two class action lawsuits filed in early September already allege violations of the 2025 Final Rule to support legal claims for violations of the Electronic Communications Privacy Act (ECPA) and related common law claims. The 2025 Final Rule does not contain a private right of action. Accordingly, both Porcuna v. Xandr, Inc., No. 4:25-cv-07385—filed in the U.S. District Court for the Northern District of California—and Baker v. Index Exchange, Inc., No. 1:25-cv-10517—filed in the U.S. District Court for the Northern District of Illinois—assert that the defendant companies should have been aware of the 2025 Final Rule and its prohibitions on cross-border data sharing. The lawsuits contend the defendants’ intentional violation of the Rule supports a violation of the ECPA.

Notably, both lawsuits claim that advertising platforms (based in the United States and Canada respectively, the latter conducting extensive business in the United States) unlawfully intercepted users’ online communications and transmitted sensitive data to Chinese e-commerce platforms. Both seek statutory damages as well as equitable relief, including an injunction prohibiting the companies from continuing the bulk data transfers to entities affiliated with foreign adversaries.

Takeaways

As we have emphasized since its issuance, the 2025 Final Rule broadly impacts routine business transactions and data transfers across all business sectors, including companies that may not have historically had significant exposure to international restrictions. The recent federal agency actions and reactions underscore the far-reaching effects of the 2025 Final Rule, which will impact the exchange of data in federally regulated processes, such as FDA approval for drugs and devices, as well as certain data utilized in federal grants, such as those awarded by NIH. Individuals or entities that knowingly, or conspire to, evade these restrictions or prohibitions could face criminal or civil penalties.

Thus, companies must closely evaluate their vendor relationships and employment agreements, along with commercial transactions, to assess compliance. As we’ve mentioned, the DOJ has directed U.S. persons to “know their data,” including the volume and type of data collected that relates to a U.S. person and how their company uses the data in business transactions, with careful consideration given to whether such transactions are covered data transactions under the 2025 Final Rule, as the Compliance Guide states. At a minimum, all companies that conduct business with—or regularly affiliate with—a country of concern or covered individual should perform due diligence into the nature and extent of those relationships.

Epstein Becker Green Staff Attorney Ann W. Parks contributed to the preparation of this post.

Tags: clinical trials, Cross-Border Data Transfers, Cybersecurity, Data Privacy Laws, Food and Drug Administration (FDA), privacy and security
Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.