By: Christopher Parrella, Esq., CPC, CHC, CPCO Parrella Health Law, Boston, MA. A Health Care Provider Defense and Compliance Firm

Healthcare providers are long accustomed to living under the watchful eye of HIPAA. But a new regulatory threat from the U.S. Department of Justice (DOJ) has quietly emerged, raising the stakes for every compliance officer working in health care. On April 8, 2025, the DOJ’s National Security Division (NSD) launched its Data Security Program (DSP) under Executive Order 14117, with new rules codified at 28 CFR Part 202.

Unlike HIPAA, which governs how covered entities manage protected health information (PHI), the DSP regulates how and with whom health care providers share certain categories of data even if it’s anonymized or encrypted. And the penalties for noncompliance? Civil fines up to $368,136 per transaction, criminal penalties of up to $1 million and 20 years in prison.

The New Risk Landscape: Bulk Data, Foreign Transactions, Criminal Exposure

The DSP aims to protect the United States from adversarial nation-states such as China, Russia, Iran, North Korea, Venezuela, and Cuba by blocking their access to bulk sensitive personal data and government-related data. That includes:

• Genomic data
• Biometric identifiers
• Personal health data
• Financial and geolocation data
• Even de-identified or anonymized information

Healthcare providers that outsource coding, billing, cloud storage, telehealth support, or software development overseas now face a new set of national security restrictions. Any engagement with a “covered person” (e.g., a contractor located in or owned by a country of concern) can be subject to enforcement under the DSP if proper controls are not in place. Even standard business practices like contracting with foreign IT vendors or allowing remote access to EHRs may now trigger DSP scrutiny.

Compliance Obligations: What You Must Do By October 6, 2025

The DSP gives you until October 6, 2025, to implement a written Data Compliance Program if you engage in “restricted transactions” involving covered data. That program must include:

Risk-based due diligence on data transactions and foreign partners

Written policies and procedures—annually certified

Internal auditing and recordkeeping (10-year retention)

Screening against the DOJ’s “Covered Persons List”

Mandatory breach reporting within 14 days

Most notably, third-party relationships must be tightly managed. Providers must contractually prohibit foreign vendors from sharing your data with adversarial countries and must monitor and enforce compliance. Just having a HIPAA-compliant BAA is no longer enough.

Why This Goes Beyond HIPAA

The DSP is not another privacy regulation, it is a national security framework that holds providers accountable before a breach occurs. The DOJ is no longer focused solely on whether you had a data breach but whether you had reasonable data governance measures in place to prevent foreign adversaries from accessing sensitive personal data in the first place.

This means that data not traditionally covered by HIPAA, such as:

• Anonymized health research,
• Wearable-generated health metrics,
• Financial transaction records tied to healthcare services,
  …may still trigger enforcement under the DSP even if your HIPAA protocols are intact.

Take Action Now: A Compliance To-Do List

Here’s what every health care organization should do immediately:

1. Map Your Data: Know what sensitive personal and government-related data you collect, where it’s stored, who accesses it, and whether foreign entities are involved.
2. Identify Covered Transactions: Review all vendor, employment, and investment relationships for potential exposure to countries of concern.
3. Screen Against the Covered Persons List: The DOJ now maintains a Covered Persons List. Check it before signing new contracts.
4. Develop a DSP Compliant Policy: Even if you don’t believe your organization is engaged in covered transactions now, prepare for the possibility. Your compliance framework should include:
   • Written policies,
   • Screening and monitoring tools,
   • Training protocols for staff.
5. Prepare for October: Beginning October 6, 2025, the DOJ will expect full compliance, including due diligence audits, reporting, and policy certifications.
6. Educate Leadership: Compliance with this program is not optional. Failing to implement required measures can expose your organization and potentially your executive leadership to civil and/or criminal liability.

HIPAA is No Longer Enough

This new national security-driven enforcement regime demands a fundamental shift in how the healthcare industry views its data responsibilities. It’s not just about protecting patient privacy anymore. It’s also about safeguarding national security. Healthcare organizations must prepare now, before October 6, to avoid becoming the next DOJ target. This is a rare moment where compliance and strategy converge.

Need help developing your DSP compliance plan? Contact Parrella Health Law at 857-328-0382 or email Chris directly at cparrella@parrellahealthlaw.com to assess your exposure and craft a compliance program that satisfies both HIPAA and the DOJ’s new Data Security Program.