The Data Security Program, implemented by the Department of Justice, aims to safeguard Americans’ sensitive personal data and government-related data from foreign adversaries. This program has significant implications for the healthcare industry, which processes and handles vast amounts of sensitive data. ### DSP Regulations and Definitions
#### Definition of Bulk U.S. Sensitive Personal Data
The DSP prohibits U.S. entities from engaging in transactions involving bulk U.S. sensitive personal data or government-related data with foreign entities or individuals from Countries of Concern or Covered Persons. #### Covered Countries
The Countries of Concern include foreign nations that pose a significant risk to U.S. national security, such as China, Russia, Iran, North Korea, Cuba, and Venezuela. #### Covered Persons
Covered Persons include foreign entities that are majority-owned by Countries of Concern or have their principal place of business in any Countries of Concern, as well as individuals who are employees or contractors of a Country of Concern or Covered Person, or whose primary residence is in a Country of Concern. ### Impact on the Healthcare Industry
#### Sensitive Data
The DSP covers a broad range of sensitive data typically processed by healthcare organizations, including genomic data, biometric data, and personal health data. The program’s definition of personal health data is broader than that of the Health Insurance Portability and Accountability Act (HIPAA). #### Compliance Obligations
All U.S. healthcare organizations must ensure compliance with the DSP, even if they do not directly engage with Countries of Concern or Covered Persons. They must:
• Refrain from engaging in data brokerage transactions with foreign persons that involve bulk U.S. sensitive personal data
• Report any known or suspected violations within 14 days
• Exercise reasonable and proportionate due diligence to ensure and monitor compliance with the contractual prohibition on subsequent data transfers
#### Licensing Arrangements
Healthcare organizations must also ensure that licensees comply with the DSP. The grant of worldwide license rights must not permit access to data covered by the DSP to Countries of Concern or Covered Persons. ### Consequences to Healthcare Organizations for Violations and Compliance Measures
#### Penalties
The DOJ can impose steep civil and criminal penalties for non-compliance with the DSP, including fines of up to $368,136 per violation and imprisonment for willful breaches. #### Compliance Measures
To ensure compliance, healthcare organizations should:
• Assess data license agreements and other agreements to determine if data covered by the DSP is implicated
• Assess whether impacted agreements constitute a prohibited or restricted transaction
• Assess if there are any restrictions within agreements to limit access by Countries of Concern, Covered Persons, or additional restrictions on further access or circulation of data in agreements with foreign persons
### What’s Ahead? #### Initial Enforcement Period
During the initial full-enforcement period, the DOJ will focus on compliance with prohibitions and limitations on restricted transactions. #### Additional Reporting Requirements
Beginning October 6, 2025, additional reporting requirements for certain restricted and prohibited transactions will take effect, along with due diligence requirements and audit requirements for restricted transactions. #### Key Takeaways
• The DSP aims to safeguard sensitive data and government-related data from foreign adversaries. • Healthcare organizations must ensure compliance with the DSP, even if they do not directly engage with Countries of Concern or Covered Persons. • The program’s definition of personal health data is broader than that of HIPAA. • Compliance with the DSP is critical, as the DOJ can impose steep penalties for non-compliance.
Implementation and Key Compliance Considerations
The DSP took effect on April 8, 2025, and the DOJ is now fully enforcing the program following the initial 90-day limited enforcement period. Healthcare organizations should conduct a thorough review of their data license agreements and other agreements to determine if they cover bulk U.S. sensitive personal data or government-related data. The healthcare industry must ensure that all U.S. healthcare organizations comply with the DSP, even if they do not directly transact with Countries of Concern or Covered Persons. Healthcare Organizations’ Compliance Obligations
Healthcare organizations must:
• Refrain from engaging in data brokerage transactions with foreign persons that involve bulk U.S. sensitive personal data
• Report any known or suspected violations within 14 days
• Exercise reasonable and proportionate due diligence to ensure and monitor compliance with the contractual prohibition on subsequent data transfers
By assessing data license agreements and other agreements, identifying prohibited or restricted transactions, and assessing restrictions on access, healthcare organizations can ensure compliance with the DSP. The program’s broad definition of personal health data and its implications for healthcare organizations require careful consideration.
Consequences for Non-Compliance
The DOJ can impose severe penalties for non-compliance with the DSP, including fines of up to $368,136 per violation and imprisonment for willful breaches. Healthcare organizations must prioritize compliance to avoid these severe consequences. The DSP’s broad scope and implications for the healthcare industry demand a proactive approach to compliance. By understanding the program’s provisions and taking steps to ensure compliance, healthcare organizations can minimize the risk of non-compliance and protect sensitive data.
Conclusion
The DSP’s implementation and enforcement pose significant challenges for the healthcare industry. By understanding the program’s provisions, identifying compliance obligations, and taking steps to ensure compliance, healthcare organizations can navigate the DSP’s requirements and protect sensitive data. Healthcare organizations must prioritize compliance to avoid severe penalties and minimize the risk of non-compliance.
