Questions? Call Us: 857-328-0382

Schedule a free 15 min. consult cparrella@parrellahealthlaw.com

DOJ Final Rule on Cross-Border Data Transfers: What Health Care Organizations Must Do Now

Posted on June 30, 2025 by Parrella Health Law
tablet and research with woman in laboratory for planning,

By: Christopher Parrella, Esq., CPC, CHC, CPCO
Parrella Health Law, Boston, MA
A Health Care Provider Defense and Compliance Firm

On April 8, 2025, the U.S. Department of Justice issued a sweeping new Final Rule under 28 CFR Part 202, implementing Executive Order 14117: “Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons.” This rule creates the Data Security Program (DSP), and with it, a seismic shift in how U.S. health care entities must handle cross-border data transfers.

Why It Matters to the Health Care Industry

Health care providers, life sciences companies, digital health platforms, revenue cycle vendors, and IT contractors are all on the front lines of managing and transmitting massive volumes of patient data. The Final Rule restricts transfers of sensitive personal data—including biometric, genomic, and health data—to certain foreign adversaries, including China, Russia, Iran, North Korea, Cuba, and Venezuela.

If your health care organization interacts with foreign nationals, vendors, investors, or data processors tied to these countries—or even if you employ individuals who reside there—this rule directly affects you.

Key Definitions Impacting Health Care

  • Sensitive Personal Data: Includes biometric identifiers, genomic information, protected health information (PHI), and geolocation, datatypes of data that are ubiquitous across EHR platforms, telehealth services, lab networks, and mobile health apps.
  • Covered Persons: Foreign individuals or entities tied to the listed countries, including any entity “controlled by” or operating under the laws of those jurisdictions.
  • Government-Related Data: Involves information related to U.S. government employees and contractors, including health data housed by federal health providers or defense-related health systems.

What’s Prohibited and What’s Restricted

  • Prohibited Transactions: You cannot sell or license health data to covered persons, including data aggregators or analytics firms affiliated with foreign adversaries.
  • Restricted Transactions: Business dealings such as employment contracts, vendor relationships, and investment agreements that could lead to data access by covered persons are permitted only if they meet detailed security standards issued by CISA.

How to Comply—The 90-Day Window Is Ticking

The DOJ has offered a 90-day grace period ending July 8, 2025. During this time, health care organizations making a good-faith effort to comply—such as conducting data audits or updating contracts—will not be a target for enforcement.

Steps Health Care Entities Must Take Immediately

  1. Map Your Data

    Identify where sensitive personal health data is stored, transmitted, and accessed. Determine if any foreign persons or entities have access, even indirectly.

  2. Audit and Amend Contracts

    Scrutinize BAAs, employment agreements, licensing contracts, and investment deals. Ensure they prohibit data transfers to or access by covered persons unless explicitly permitted under the Final Rule.

  3. Update Compliance Programs

    Develop or revise HIPAA policies, data transfer protocols, and vendor due diligence procedures to address cross-border risk.

  4. Coordinate with IT and Legal

    Work with your CISO and legal counsel to align your organization’s cybersecurity posture with the requirements of CISA and DFARS (if applicable). Establish safeguards for both structured and unstructured data flows.

  5. Employee Education

    Train clinical, IT, HR, and contracting staff on the Final Rule’s data handling restrictions. This is not just an IT issue—it implicates enterprise-wide operations, from credentialing to RCM outsourcing.

High-Stakes Risks for Noncompliance

If you fail to comply with this rule, your organization may be subject to civil enforcement by DOJ and possibly barred from federal health care contracting. For providers who bill Medicare, TRICARE, or who hold defense health care contracts, it’s operationally critical.

Need Help Understanding If Your Contracts or Data Practices Are at Risk?

Parrella Health Law is ready to assist. We counsel health care clients on privacy compliance, vendor contracting, cyber risk mitigation, and national security alignment in an evolving regulatory climate. Contact us today at 857.328.0382 or email Chris directly at cparrella@parrellahealthlaw.com to schedule a risk assessment or review your existing agreements in light of this DOJ rule. Don’t wait. July 8 is upon us.

Christopher A. Parrella, Esq., CPC, CHC, CPCO, is a leading healthcare defense and compliance attorney at Parrella Health Law in Boston. With extensive experience in healthcare law, he provides robust legal support in areas including regulatory compliance, audits, healthcare fraud defense, and reimbursement disputes. Christopher emphasizes client-centered advocacy, offering one-on-one consultations for personalized guidance. His proactive approach helps clients navigate complex healthcare regulations, ensuring compliant operations and defending against government investigations, audits, and overpayment demands.

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *