Well before the latest government shutdown, the U.S. Department of Justice’s National Security Division (DOJ NSD) issued a final rule at 28 CFR Part 202 (“2025 Final Rule” or “Rule”) to help prevent “countries of concern” or “covered persons” from accessing U.S. government-related data and Americans’ bulk sensitive personal data. The 2025 Final Rule took effect in April—and after a 90-day safe harbor period, the DOJ began enforcement on July 8.
Six months after implementation—with the U.S. Senate now passing the BIOSECURE Act restricting certain biotech business with China—compliance remains the key for affected stakeholders, including those exchanging personal health data. As we reported in July, the 2025 Final Rule implemented the prior administration’s Executive Order 14117 of February 28, 2024, by prohibiting and restricting “bulk” data transactions with countries that could threaten U.S. national security through the use of Americans’ sensitive personal data.
While the 2025 Final Rule remains largely untested, federal agencies and stakeholders alike have taken action to test the bounds of the Rule and, in some instances, expand applicability beyond 28 CFR Part 202. Below is a brief refresher of the key elements of the Rule and some recent developments.
Blog Editors
Recent Updates
- Brand Licensing in Health Care: An Overview for Hospitals
- FDA Proposal Would Extend Food Traceability Rule’s Compliance Deadline to July 2028
- NYDFS Cybersecurity Crackdown: New Requirements Now in Force, and "Covered Entities" Include HMOs, CCRCs—Are You Compliant?
- The Case for Regular Legal Maintenance: A Litigation Readiness Mindset for Modern Health Care Organizations
- The Rising Threats of Multi-Modal and Agentic AI in Cyber Attacks