New obstacles for health care: Federal and state national security regulations increasingly target health data

Over the past three years, federal and state regulations designed to prevent foreign adversary nations from accessing, storing or processing American health and genomic data have expanded into a multilayered framework. 

The U.S. Department of Justice's Bulk Sensitive Data Rule, state data laws in Florida, Texas and Utah — with pending legislation in additional states — collectively impose data localization mandates, remote access bans and equipment restrictions, yet these regimes remain largely unaligned.

For life sciences companies, clinical laboratories, telehealth platforms and consumer health brands, the question is no longer whether these obligations apply, but how many apply simultaneously and where internal resources should be allocated.

The regulatory landscape: Enacted laws

The U.S. Department of Justice's Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern. Effective 8 April and enforceable 6 Oct. 2025, the DOJ rule, Executive Order 14117, protects U.S. sensitive personal data, including health, genomic and biometric data as well as biospecimens, by restricting access by a "country of concern" — China, Cuba, Iran, North Korea, Russia or Venezuela — or a "covered person" linked to those countries. 

Companies in scope must maintain a written data compliance program including due diligence, risk-based reviews, auditing and recordkeeping for at least 10 years.

Florida Electronic Health Records Exchange Act. Effective 1 July 2023, this law requires Florida health care providers using certified EHR technology to ensure that all patient information stored offsite, including through third-party vendors or cloud providers, is physically maintained in the continental U.S., its territories or Canada.