HIPPA Archives - Zasio

Navigating New U.S. Health Data Laws

Zasio — Wed, 30 Jul 2025 15:26:34 +0000

Anxiety is growing over foreign access to U.S. health data. In response, regulators are stepping up efforts to protect this sensitive information. This post examines recent efforts to close gaps under HIPAA regarding the handling of electronic health information by foreign companies and abroad.

Strengthening Traditional Protections

Most readers are familiar with the Health Information Portability and Accountability Act (HIPAA), which provides federal protections to patient health information.

HIPAA requires ‘covered entities’ and their ‘business associates’ to follow specific privacy and security rules for electronic patient health data. However, gaps can emerge when this data is sent outside the U.S. or transferred to foreign entities. As a result of these gaps, states have started to take steps to limit where health data can be stored. The U.S. Department of Justice has also recently enacted a rule restricting the transfer of personal health data and other forms of sensitive personal information to certain “countries of concern.”

State Health Data Storage & Transfer Restrictions

In July 2024, Florida amended its Electronic Health Record Exchange Act to prohibit Florida health care providers and their third-party vendors from storing or transferring electronic health information outside the U.S. or Canada. With this amendment, Florida’s law is more stringent than HIPAA with respect to patient data.

In Michigan, a similar piece of legislation is working its way through that state’s legislature. HB4242 requires state licensed health care providers to store medical records, whether physical or virtual, in the U.S. or Canada. The bill specifies that licensees must follow these requirements when they use a medical records company.

In addition, the federal government has also turned its attention to foreign interest in U.S. data, including “bulk” personal health data.

Federal Restrictions on Data Transactions

In December 2024, the Department of Justice issued a final rule (the “Bulk Data Rule”) restricting, and in some cases prohibiting, certain data transactions involving bulk U.S. sensitive personal data with six countries of concern: China, Cuba, Iran, North Korea, Russia, and Venezuela. The DOJ began enforcing the rule on July 8.

The Bulk Data Rule blocks these countries from accessing large amounts of personal health data. It also restricts access to biometric, genomic, geolocation, and financial information. It also applies to entities under the control, jurisdiction, ownership, or direction of the six countries of concern. The definition of “bulk” transactions varies between categories of data. For example, human genomic data on over 100 U.S. individuals is considered bulk; for personal health data, the number increases to 10,000.

The Bulk Data Rule includes multiple broad exceptions, making it complex. Nonetheless, the DOJ has been clear in its instructions to U.S. companies to understand the data they hold and how they use it. Accordingly, companies should carefully review their commercial, employment, and vendor agreements to ensure compliance.

Why These New Restrictions Matter

These new rules add to the existing patchwork of U.S. privacy laws. They cover all types of personal data, including health information. As a result, they can create new compliance challenges for companies handling health data in the United States, particularly those using third-party vendors or cloud services. Vendors should also examine new requirements to ensure they’re being followed.

Time will tell whether these new and proposed state and federal restrictions are the beginning of a wave of new regulatory efforts to control foreign access to U.S. health data. Either way, organizations should proactively investigate their records management solution to ensure compliance with existing laws, as well as assess their capacity to respond to any future laws.

Disclaimer: The purpose of this post is to provide general education on information governance software. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Navigating New U.S. Health Data Laws appeared first on Zasio.

Pandemics and Personal Data

Zasio — Mon, 16 Mar 2020 19:14:05 +0000

In light of the COVID-19 (coronavirus) viral disease officially being classified as a pandemic, nations around the world are grappling with how to best manage and prevent further spreading of the disease. One such measure we see being taken, especially in early stages of the fight, is contact tracing, where persons infected with the virus and those they have been in contact with are closely monitored, to help predict and prevent further transmission of the disease.

While contact tracing can be vital to helping control the spread of a disease, it can also raise significant personal data concerns. During this process, information is gathered and potentially shared amongst employers, health officials and government agencies. This might include information such as a person’s health data, address, family members, employment details, travel schedules, and even personal contacts. To what extent can this personal information be gathered? Is consent required? How long will it be kept? What rights and protections does an individual have regarding such data that has been collected?

As things currently stand, here is a snapshot of how several governments are dealing with data protection concerns with respect to COVID-19 data gathering:

European Union

Generally, members of the EU are required to comply with the GDPR. However, Article 6 of the law allows for processing of data without consent in special cases, including cases where “processing is necessary for the performance of a task carried out in the public interest…” Article 9 prohibits processing of many categories of personal data (such as race, ethnicity, genetic and health) unless a specific exception is met. One such exception is when processing is “necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health…”

As COVID-19 and GDPR priorities begin to intersect, we are starting to see data protection authorities in EU countries issue data processing guidance and even pass emergency measures allowing for data processing by governmental personnel in order to track and combat the disease.

Italy’s civil protection department passed Decree 630 of 3 February 2020, (these provisions also being included in Decree-Law 14 of 9 March 2020) which essentially suspends certain data protection rights in order for various entities to process personal data in carrying out civil protection activities to fight the disease. This is effective until July 30, 2020, unless otherwise provided for.

France’s CNIL issued guidance outlining what organizations and employers can and can’t do, with respect to processing personal data during the coronavirus crisis .

Ireland’s Data Protection Commission issued supervisory guidance on March 6, outlining rights and obligations of personal data processing by governments and organizations (including employers) during the crisis.

In Denmark, the DPA published brief guidance on personal data that is justifiable for employers to collect and share, in connection with the coronavirus.

China

To help protect personal data during the coronavirus outbreak, The National Health Commission of China and the PRC Cyberspace Administration of China (CAC) have issued notices and circulars providing guidance and outlining requirements with respect to the collection and management of personal data. Among other things, the guidance emphasizes the importance of protecting personal data according to Chinese laws and regulations, and it discusses parameters for collecting data pursuant to epidemic prevention and mitigation efforts.

Singapore

The Personal Data Protection commission issued an advisory concerning personal data that organizations may collect without consent for purposes of COVID-19 contact tracing.

United States

Currently there is no comprehensive federal-level data protection law, but there are several federal and state laws that address data privacy and protection. With the COVID-19 situation continuing to evolve, we are seeing bulletins, waivers, and other documents and notices being released at the federal level, addressing issues of HIPAA privacy and the coronavirus.

As the COVID-19 situation continues to roll out, it will be interesting to see how governments handle the balance between persona data rights and public need to access and use such data to mitigate large-scale health crises such as pandemics.

Bringing this down to a company level – at all times, and especially in times of widespread public health emergencies when it is possible if not likely that personal data might be processed or shared, it is important for businesses to understand their jurisdictional data protection laws and rules. Also crucial is the need for companies to be forthwith and transparent with their clients and employees about what, when, and how personal or sensitive data is being processed. A robust information governance program that is already in place can significantly help in these efforts.

For your current information governance and data compliance needs, contact Zasio today.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

Author: Jared Walker, JD

Senior Research Analyst, Team Lead / Licensed Attorney

The post Pandemics and Personal Data appeared first on Zasio.