Anxiety is growing over foreign access to U.S. health data. In response, regulators are stepping up efforts to protect this sensitive information. This post examines recent efforts to close gaps under HIPAA regarding the handling of electronic health information by foreign companies and abroad.
Strengthening Traditional Protections
Most readers are familiar with the Health Information Portability and Accountability Act (HIPAA), which provides federal protections to patient health information.
HIPAA requires ‘covered entities’ and their ‘business associates’ to follow specific privacy and security rules for electronic patient health data. However, gaps can emerge when this data is sent outside the U.S. or transferred to foreign entities. As a result of these gaps, states have started to take steps to limit where health data can be stored. The U.S. Department of Justice has also recently enacted a rule restricting the transfer of personal health data and other forms of sensitive personal information to certain “countries of concern.”
State Health Data Storage & Transfer Restrictions
In July 2024, Florida amended its Electronic Health Record Exchange Act to prohibit Florida health care providers and their third-party vendors from storing or transferring electronic health information outside the U.S. or Canada. With this amendment, Florida’s law is more stringent than HIPAA with respect to patient data.
In Michigan, a similar piece of legislation is working its way through that state’s legislature. HB4242 requires state licensed health care providers to store medical records, whether physical or virtual, in the U.S. or Canada. The bill specifies that licensees must follow these requirements when they use a medical records company.
In addition, the federal government has also turned its attention to foreign interest in U.S. data, including “bulk” personal health data.
Federal Restrictions on Data Transactions
In December 2024, the Department of Justice issued a final rule (the “Bulk Data Rule”) restricting, and in some cases prohibiting, certain data transactions involving bulk U.S. sensitive personal data with six countries of concern: China, Cuba, Iran, North Korea, Russia, and Venezuela. The DOJ began enforcing the rule on July 8.
The Bulk Data Rule blocks these countries from accessing large amounts of personal health data. It also restricts access to biometric, genomic, geolocation, and financial information. It also applies to entities under the control, jurisdiction, ownership, or direction of the six countries of concern. The definition of “bulk” transactions varies between categories of data. For example, human genomic data on over 100 U.S. individuals is considered bulk; for personal health data, the number increases to 10,000.
The Bulk Data Rule includes multiple broad exceptions, making it complex. Nonetheless, the DOJ has been clear in its instructions to U.S. companies to understand the data they hold and how they use it. Accordingly, companies should carefully review their commercial, employment, and vendor agreements to ensure compliance.
Why These New Restrictions Matter
These new rules add to the existing patchwork of U.S. privacy laws. They cover all types of personal data, including health information. As a result, they can create new compliance challenges for companies handling health data in the United States, particularly those using third-party vendors or cloud services. Vendors should also examine new requirements to ensure they’re being followed.
Time will tell whether these new and proposed state and federal restrictions are the beginning of a wave of new regulatory efforts to control foreign access to U.S. health data. Either way, organizations should proactively investigate their data storage and transaction practices to ensure compliance with existing laws, as well as assess their capacity to respond to any future laws.
Disclaimer: The purpose of this post is to provide general education on information governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.