The U.S. Department of Justice’s Final Rule titled Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons (90 Fed. Reg. 1636, published January 8, 2025) became effective on April 8, 2025, but its compliance requirements are currently stayed until July 8, 2025 to give organizations time to adjust. This sweeping rule applies to U.S. hospitals, health systems, health information exchanges (HIEs), health IT and cloud vendors, research institutions, and any other U.S. persons or entities that handle, transfer, or store large volumes of sensitive personal data. For this article, however, I will focus specifically on its impact on health information exchanges (HIEs) operating as business associates under HIPAA, highlighting what they must do now to ensure that their network participants, technology vendors, and data-sharing contracts fully comply before the delayed enforcement deadline arrives — unless extended further.

The new Final Rule issued under Executive Order 14117 directly targets the national security risks posed by certain foreign adversaries’ access to large sets of sensitive U.S. personal and government-related data. It prohibits or restricts transactions that could expose this data to “covered persons” — specifically foreign persons or entities owned 50% or more by one or more “Countries of Concern” (China, Cuba, Iran, North Korea, Russia, or Venezuela). For HIEs functioning as business associates under HIPAA, this rule introduces both compliance and operational implications that must be addressed through careful review of existing contractual frameworks and vendor relationships.

First, HIEs must recognize that the rule applies not only to their direct actions, but also to any third-party vendors, subcontractors, or downstream participants that handle or transmit protected health information (PHI) or other bulk sensitive personal data on their behalf. It is therefore essential for HIEs to scrutinize each data sharing agreement and HIPAA business associate agreement (BAA) to confirm that contractual obligations prohibit disclosures, storage, or access by any foreign-controlled entity that could qualify as a “covered person” under the new rule. Many BAAs and data sharing agreements already include offshoring and security clauses; however, they may not specifically address the “Countries of Concern” framework or require vendors to attest to ownership structures and compliance with this national security measure.

Second, this means HIEs must expand their vendor due diligence. It is no longer sufficient to rely solely on representations about data storage locations within the United States. HIEs should now require each technology vendor and any subcontracted service provider to disclose whether they, any parent company, or controlling affiliate are owned in whole or in part by a listed foreign government or individual. Moreover, the HIE should ensure its contracts explicitly prohibit the routing, processing, or hosting of PHI or other bulk sensitive personal data through any server, network, or infrastructure that could expose it to interception or control by a “covered person.”

Third, HIEs should proactively audit and update their standard data sharing and BAA templates to include detailed representations and warranties on vendor ownership, ongoing compliance, and immediate notification obligations if any corporate change could bring the vendor within the scope of the rule. This must be paired with the right to terminate or suspend data transfers immediately if a breach of this representation occurs.

In practical terms, for most HIEs, the likelihood that their core U.S.-based vendors are directly owned by these foreign governments may be low. Nonetheless, the rule imposes a clear affirmative obligation to verify and document this risk — simply assuming compliance is no longer defensible. Failure to do so exposes both the HIE and its covered entity partners to significant civil penalties (up to $368,136 per violation) and reputational harm.

In short, while the Final Rule does not change the core HIPAA Privacy and Security Rule requirements, it overlays a national security dimension that must now be addressed through rigorous vendor management, contract governance, and internal audits. HIEs should coordinate closely with legal counsel to update their compliance programs and ensure that no aspect of their technology stack or vendor chain inadvertently creates a prohibited or restricted data transaction.

Key Next Steps for HIEs as Business Associates:

  • Review all existing data sharing agreements and HIPAA BAAs to identify any gaps related to “Countries of Concern” restrictions.
  • Amend contracts to require explicit vendor representations about ownership structure, compliance with the Final Rule, and immediate notice of any change.
  • Update vendor due diligence questionnaires to include questions about foreign ownership, control, and data routing practices.
  • Require vendors to flow down these requirements to any subcontractors with access to PHI or other sensitive personal data.
  • Implement a process for regular re-verification and recordkeeping to demonstrate ongoing compliance, in line with the DOJ’s record retention obligations.
  • Train relevant staff on these new obligations so they can spot potential red flags in vendor or participant relationships.

This integrated approach will help HIEs meet both their HIPAA and national security compliance responsibilities while maintaining the trust of patients, providers, and public agencies in an increasingly complex regulatory environment.