As a privacy officer working with life sciences and health care clients, I’ve watched the compliance burden shift from HIPAA-centric concerns to a more complex national security overlay. Over the past three years, federal and state rules aimed at blocking foreign adversaries — primarily China — from accessing American health and genomic data have created a fragmented but increasingly onerous regime.
The question for most organizations is no longer whether these rules apply, but how to manage overlapping obligations without burning out internal teams or slowing down critical operations.
The Federal Baseline: DOJ’s Bulk Sensitive Personal Data Rule
The U.S. Department of Justice’s rule under Executive Order 14117, effective since April 2025 and fully enforceable from October 2025, casts the widest net. It restricts “covered data transactions” involving bulk sensitive personal data — more than 10,000 health records, 1,000 biometric records, or just 100 genomic records — with any “country of concern” or linked entity. That list includes China, Russia, Iran, North Korea, Cuba, and Venezuela.
Companies must maintain a formal compliance program with due diligence, auditing, and 10-year recordkeeping. Violations carry steep penalties: civil fines nearing $378,000 and potential criminal charges up to $1 million and 20 years in prison. Clinical research and certain regulatory approvals have narrow exemptions, but documentation is essential.
State-Level Momentum
States are moving faster and often more prescriptively than Washington.
Florida’s Electronic Health Records Exchange Act (effective July 2023) requires providers using certified EHR systems to keep patient data physically stored in the continental U.S., its territories, or Canada. No specific country designations — just geography.
Texas Genomic Act (HB 130), effective September 2025, targets genome sequencing. It bans use of sequencers or related software tied to foreign adversaries, requires U.S.-based storage, and makes data inaccessible to anyone in those countries. Annual attorney general certification — prepared by counsel — is mandatory, and there’s a private right of action allowing damages up to $5,000 per violation.
Utah’s Genetic Information Amendments (HB 182), effective January 2028, goes further: prohibited equipment must be removed or permanently disabled. Storage outside adversary borders is banned, with attorney general enforcement and $10,000 penalties plus actual damages.
Where the Regimes Diverge — And Overlap
The misalignment creates real friction. The DOJ rule focuses on transactions and access; Texas and Utah zero in on sequencing hardware and software supply chains. Florida is narrower, tied to licensed providers and EHR systems. A national telehealth platform offering consumer genetic testing, or a biotech firm running multi-state trials, can easily fall under all four regimes at once.
Equipment and software reviews are particularly painful. Texas demands immediate cessation of use for non-compliant gear. Utah requires physical removal or disabling by early 2028. Vendor contracts must now include flow-down clauses, recertification rights, and audit provisions to support both federal recordkeeping and state annual filings.
Practical Steps Privacy Teams Should Take Now
Map your data flows and patient populations against each trigger. Identify where genomic data lives, who can access it remotely, and which vendors or cloud providers touch it. Conduct a supply chain audit of every sequencer and piece of sequencing software — manufacturer, ownership, and country of origin.
Review research exemptions carefully; they exist but are narrow and demand strong documentation. Update vendor agreements and add Texas-style certification requirements where needed. Quantify litigation exposure in Texas, especially for organizations holding Texas resident genomic data.
Most organizations I advise are building a centralized “restricted party” screening process for data access and a unified compliance playbook that satisfies the strictest requirements across jurisdictions.
The Road Ahead
More states are coming. Bills in West Virginia, Wisconsin, Virginia, and others signal that genomic data protection tied to national security is becoming a baseline expectation. Companies that treat this as a one-off compliance exercise will fall behind. Those investing in robust data mapping, vendor governance, and auditable controls will be better positioned as the patchwork grows.
The days of treating health data privacy as purely a HIPAA or consumer privacy issue are over. National security considerations now sit at the center of the table for any organization handling meaningful volumes of health or genomic information.
