DOJ’s Bulk Sensitive Data Transfer Rule: Key Insights for Health Care Compliance Teams

What health care and life sciences organizations need to know:

“Bulk” Has a New Definition: The volume thresholds under the U.S. Department of Justice’s (DOJ’s) Bulk Sensitive Data (BSD) Transfer Rule are surprisingly low—sharing genomic data on just 100 people can trigger compliance requirements, catching many organizations off guard.
HIPAA Compliance Is Not Enough: The BSD Transfer Rule creates an entirely new compliance layer that goes beyond existing privacy frameworks, such as the Health Insurance Portability and Accountability Act (HIPAA), applying even when data has been de-identified or anonymized.
It’s About Access, Not Just Transfers: Simply giving a foreign vendor, board member, or investor the ability to view sensitive data can trigger the BSD Transfer Rule—no formal data-sharing agreement is required.

In this episode of Diagnosing Health Care^®, Epstein Becker Green attorneys Laura DePonio, Elizabeth McEvoy, and Elena Quattrone walk health care and life sciences organizations through the DOJ’s BSD Transfer Rule—from scoping and compliance to enforcement risks and exemptions.

Subscribe on Amazon Music, Apple Podcasts, Audible, Deezer, Goodpods, iHeartRadio, Overcast, Pandora, PlayerFM, Pocket Casts, Spotify, YouTube, YouTube Music.

Transcript

[00:00:00] Laura DePonio: Today we're talking about one of the newer regulatory developments affecting the health care and life sciences sector, and frankly, every sector that touches sensitive personal data, it's the DOJs bulk sensitive data transfer rule that we’ll shorten to BSD transfer rule for ease of reference. While this role is framed as a national security measure, it operates in the context of everyday commercial activity, including vendor relationships and research collaborations.

[00:00:37] Laura DePonio: It has very real and immediate implications for the sector, including for hospital systems, pharma companies, research institutions, digital health businesses, their investors, et cetera, et cetera. Hello and welcome. I'm your host, Laura DePonio. I'm an attorney in Epstein Becker and Green's health care and life sciences practice based out of our Boston office.

[00:00:58] Laura DePonio: In this episode, we're going to walk through what the role actually is and where it came from, what health care and life sciences organizations need to know about it, and how enforcement risks could actually materialize. You know, before we dive in, a quick flag, if you're listening and you work in the health care and life sciences sector and you're wondering whether this role even applies to your organization, stay with us.

[00:01:22] Laura DePonio: My guess is that the answer may surprise you. Okay, so let's dive in. Today I am joined by my colleagues, Elizabeth McEvoy and Elena Quattrone.

[00:01:31] Elizabeth McEvoy: Thank you everyone for joining us, and a brief introduction to myself, my practice, and how the BSD rule has kind of transpired to come onto my radar. My practice focuses generally around health care litigation and enforcement, advising companies on how to structure and maintain compliant academic and clinical research transactions as well. I do spend a lot of my time in the intersection of both those kind of enforcement and clinical and academic research areas. So we're often kind of looking at where the government is scrutinizing relationships in life sciences, health care, and particularly research throughout the life cycle of the research.

[00:02:07] Elizabeth McEvoy: This certainly is an area where we are seeing a lot of need to understand the BSD rule, and I'm excited to discuss that with you here today. And I should mention, I am a partner at Epstein Becker Green in our Boston office.

[00:02:21] Elena Quattrone: Thanks, Laura. Thanks for having me today. My name is Elena Quattrone and I'm a partner at EBG based out of EBG'S New York office.

[00:02:30] Elena Quattrone: I focus my practice on government investigation and white collar defense, and though I work a lot with health care and what I'd like to call health care adjacent companies, my practice allows me to also work across a wide range of industries, including the dietary supplement industry, the financial sector, and other diverse sectors.

[00:02:49] Elena Quattrone: So because the bulk data transfer rule targets large-scale data flows rather than a single sector, its impact is inherently cross industry. So I'm excited to talk more about that today.

[00:03:00] Laura DePonio: Great. Well, thanks so much for joining us. I think it's going to be an interesting discussion, at least for us data nerds. So let's start off with just an overview of sort of what the BSD transfer rule is.

[00:03:13] Laura DePonio: As you mentioned in the intro, this rule is framed as a national security measure, but it's showing up and we're seeing it show up in very practical ways for health care, life sciences investors in this space. To start, Elizabeth, can you set the stage for us? Where did the BSD transfer rule come from? What problem is it trying to solve and, you know, at the core of it, why is it not just a national security issue in practice?

[00:03:39] Elizabeth McEvoy: Absolutely. The BSD rule, although coming into effect in April of 2025, it's a bipartisan effort, began with the executive order 4-117, which actually was signed by former President Biden. So the issues and intent of the rule really capture the prior federal administration as well as the current goals and objectives of the federal administration in place today. It's hard given the timing to sometimes differentiate this rule from the variety of other executive orders that came down last year, but I think it is important when understanding the future of the rule, the potential for enforcement, as well as just the general priorities of the government that this is a bipartisan rule and we expect it to have legs far and beyond the somewhat tumultuous changing of the federal administration. The second high level note for the BSD rule is that it introduces a brand new compliance scheme to organizations and makes it mandatory.

[00:04:30] Liz McEvoy: Previously, organizations have been grappling with industry specific, or sometimes data practice specific regulations, federal regulations, including international regulations. The BSD rule really comes in an intersection of many of those existing schemes and interjects brand new obligations, which we'll talk about today.

[00:04:50] Elizabeth McEvoy: But if you think of it as a Venn diagram, you have privacy laws, including some really notable ones like HIPAA and GDPR. You have national security laws already on the books, like export laws. Then you have cybersecurity laws and other attempts to protect, more technically, data. And in the middle of it sits the BSD rule.

[00:05:09] Elizabeth McEvoy: And then thirdly, it's important to note, which we'll talk about today, the broad scope of the rule. Just flagging for folks here who are less familiar, the rule has many different applications. On its face it applies to prohibited and restricted transactions and introduces a plethora of frameworks to understand those prohibitions, but it also imposes downstream obligations that go beyond the bilateral transactions.

[00:05:38] Elizabeth McEvoy: It also hinges on a concept of access, which is different than our typical kind of tangible, concrete passing over of data commercial transaction where there's an ownership or other transaction that's much easier to define. We have to note that it doesn't just affect companies that are dealing in data. It affects companies more broadly who just are gaining access to and from. So I think it's important just to understand at a very high level those aspects of the BSD role.

[00:06:17] Laura DePonio: Yeah. And I think we've run into this too, which is when people hear the term bulk sensitive data, I think there's an assumption often that it only applies to massive data sets or really unusual or rare circumstances. And you've just touched on this, but in reality, the rule has a much broader reach. At a high level, can you help us sort of scope who's covered under the BSD transfer rule? What kinds of data transactions does it actually cover?

[00:06:46] Elizabeth McEvoy: That's right. Even though it says bulk in the name, many of the volume thresholds are simply not that voluminous. And just to underscore one that I think jumps out to many of us who practice in this area, if you're dealing in human genomic data, the threshold is 100. So that's 100 data points. About 100 persons. That's not a high number, and it's something that can be triggered, I think, quite easily. So certainly not bulk in the way we think of bulk. Some of the things, I think just to underscore about the rule and trying to assess the applicability to any organization, there's a couple ways to kind of go through the rule and it's very much a step-by-step process.

[00:07:25] Elizabeth McEvoy: So we just kind of encourage folks, if you have…want more guidance around that, we do have an EBG resource center that has some great materials helping organizations just filter through the process that we'll briefly mention here today. But the rule essentially aims to protect Americans’ sensitive data, including geopolitical data. We'll focus today on sensitive data with six countries of concern.

[00:07:43] Elizabeth McEvoy: Geopolitical data, which will focus today on sensitive data with six countries of concern. Those are China, Russia, Iran, North Korea, Cuba, and Venezuela. So that's the kind of target audience. And beyond that, those countries themselves. The rule also prohibits certain types of data transactions, providing access of US sensitive data to covered persons. So those include state run entities, individuals residing in those countries and really the concept there is control. So any kind of entity or person who's under the control of these foreign nations is subject to being covered under the rule. And so the, you know, again, you're seeing the national security interest in defining where US sensitive data should not be transmitted, should not be given access to without certain precursors and certain protections.

[00:08:28] Elizabeth McEvoy: Those are the, the kind of recipients who are, have been red flagged under this rule. In terms of the actual kind of transactions that are covered here, there is four loosely, four kind of covered data transactions that are the rule targets.

[00:08:49] Elizabeth McEvoy: Those are the kind of recipients who have been red flagged under this rule. In terms of the actual kind of transactions that are covered here, there is… four, loosely four kind of covered data transactions that the rule targets specifically. Those are data brokerage where we're licensing, selling, or using any commercial transaction involving data itself, vendor agreements, employment agreements, and investment agreements.

[00:09:51] Liz McEvoy: So the analysis really kind of walks us through, number one, are you dealing, are you providing at one of those countries or a covered person, access to US sensitive data. Number two, is it the type of transaction that is one of those four categories? Then we get to the question of bulk. And as you mentioned, Laura, bulk does doesn't mean the same thing as kind of what you might assume in a dictionary.

[00:10:14] Liz McEvoy: There's actually specific thresholds for different types of sensitive data, with genomics being the most sensitive data and therefore having the lowest threshold, as I mentioned, of 100. So there's a very neat and tidy chart that you can find in our materials that really walk through those, but just to kind of flag, it's a sliding scale.

[00:09:49] Elizabeth McEvoy: So personal identifier data, personal health data, the more broadly defined categories are going to have a higher threshold. If that threshold is triggered, then you have what's called a covered transaction, and then you have to assess where you go from there. Again, lots of nuance, lots of complications, but that's the general rule. There are also downstream impacts on countries where you are dealing in bulk, but it may not be with one of the covered countries, or a covered person, so just red flag if you're dealing in bulk to back up and make sure you're understanding how the rule regulates some of that downstream data, as long as it's American sensitive data and it's in bulk at its initial transaction.

[00:10:23] Laura DePonio: Hearing all of that, and, you know, not to belabor the point too much, but what stands out is, to me, how easily this could apply in the ordinary course of business, especially with organizations that have global operations, complex vendor research relationships. Elena, can you help us understand what exposure companies operating in the health care and life sciences space, and otherwise, that may have under this rule, that they may not be fully appreciating yet. And as well, what Liz mentioned, how does this differ from everything that they're already doing under frameworks like HIPAA or state privacy laws or GDPR or one of the, you know, other data protection frameworks that we're already grappling with?

[00:11:12] Elena Quattrone: Companies that operate in the health care and life sciences spaces are actually among the most directly exposed under the BSD transfer rule, and not because they're targeted as an industry, but because of the type and volume of data that they handle. So health care and life sciences companies routinely process exactly the categories of data that the rule is designed to restrict, including personal health data, human genomic data, and biometric identifiers. And these examples are all covered under the sensitive personal data categories under the rule. And as we referenced earlier, the thresholds for what count as bulk are relatively low depending on the type of data it is. And as Liz just discussed, genomic data triggers at just a hundred US persons, which, especially when you're accounting for the 12 month lookback period, which the BSD rule applies to, that really doesn't seem that voluminous at all.

[00:12:06] Elena Quattrone: Additionally, life sciences companies in particular frequently operate globally, which creates additional risks, since the BSD rule focuses on foreign access, it's common for clinical trials to be conducted globally. We often see research collaborations with foreign universities or other entities. Procedures may be outsourced to CROs, contract research organizations, or data processors, and vendors or subcontracted partners may be operating overseas.

[00:12:35] Elena Quattrone: If any of these entities are tied to a country of concern and they allow access to bulk sensitive data, the BSD rule is triggered and the analysis must be conducted. And it is not limited to just traditional health or financial data. It instead focuses on categories of information that could pose a national security risk if accessed at scale.

[00:12:56] Elena Quattrone: From that definition, you can see that the BSD rule is industry agnostic, whereas HIPAA only really applies in the health care setting. So again, the BSD rule is not limited to health care. Further, the BSD rule is triggered even if data to a prohibited or restricted transaction is de-identified, anonymized or encrypted.

[00:13:16] Laura DePonio: So the million dollar question, I guess, or many-million dollar question is, how can health care and life sciences companies achieve compliance with the requirements of the BSD rule? Understanding that we're limited in, you know, the scope of the overview that we can do on a podcast.

[00:13:34] Elena Quattrone: Right? Sure.

[00:13:35] Elena Quattrone: Again, the rule is complex. So at a high level, I think when thinking about compliance with the BSD rule, organizations should think about how the BSD rule presents a genuinely new compliance layer for organizations and not just an extension of existing privacy obligations. So companies need to rethink about how data moves through their organization, who they partner with, especially given how central, large sensitive data sets are to research and operation.

[00:14:04] Elena Quattrone: The DOJs National Security Division, the entity that oversees this new rule. implemented the data security program, which sets forth controls to prevent countries of concern from accessing bulk sensitive data. US persons may not knowingly engage in a restricted transaction, which is a covered data transaction involving a vendor agreement, employment agreement, or investment agreement with a country of concern or a covered person, unless the US person complies with the applicable data security program requirements of which, you know, there are many and it is a bit complex.

[00:14:37] Elena Quattrone: The hallmarks that the DSP include are, you know, a company's obligation to know their data, including the kinds and volumes of data collected about, or maintained on, US persons or US devices. How their company uses the data, whether their company engages in covered transactions, and conducting that analysis. And how such data is marketed, especially with respect to employees, contractors, senior officials, et cetera.

[00:15:05] Elena Quattrone: So this presents a “do this, not that,” moment on exemptions. You know, sponsors should be assessing whether domestic data handling is feasible. Institutions should be building data security program requirements into sponsored research agreements now, rather than waiting for, say, a grant application or regulatory submission to service the issue. Companies should start developing formal risk-based and auditable programs that are tailored to their specific data, their business model, and the parties they contract with. And again, companies should really start thinking about ways and start undertaking steps to, as we say, know their data, and understand their vendor relationships and the flow of their data between those entities.

[00:15:50] Laura DePonio: Yeah, that makes a lot of sense. And I know that this is not, at least in my limited experience with these podcasts, this is not the first time data mapping has come up. And it is such a key part of really any organization that's dealing in technology or data at all. So Elizabeth, you know, on that point, based on what you've seen in practice, where are organizations most likely to have exposure? Where do you think they could be most likely to have exposure that they may not even really know about yet?

[00:16:24] Elizabeth McEvoy: Yeah, I think Elena kind of highlighted it nicely. A lot of organizations have very robust compliance departments right now. They know they're dealing in data. They know they have personal data, whether it be of a specific level of sensitivity or just health data in general.

[00:16:39] Elizabeth McEvoy: They're not fully aware of this rule or how this rule layers on to their existing compliance network. So I think, you know, one way organizations may have exposure at this moment is to simply not appreciate, to not know, have not done that deep dive into the volume of data, the types of data that they are providing access to.

[00:17:00] Elizabeth McEvoy: And again, it doesn't have to be data that they're necessarily leasing or commercializing or even, you know, entering into these bilateral agreements with say, a CRO or a sponsor in the clinical research context. It simply has to be an access. So I think it's really critical that folks, especially, again, if you know that your company has data and you know that's already an existing risk for your company, to be aware of these specific thresholds and these specific guardrails and look at them quickly.

[00:17:33] Elizabeth McEvoy: The first reports were due in March first of this year, and it's something that is, you know, certainly on the books and is compulsory for these companies. So that's one area just to stress for companies that are new to the BSD rule to really, you know, take quick action to get up to speed.

[00:17:52] Elizabeth McEvoy: There's also other types of, you know, entities and types of activities that I think prevent a particularly high risk for BSD rule compliance needs. And one I want to mention that I haven't heard get as much attention probably as it should have, is around the investment and the transactional space where there are companies who are either merging, acquiring, or investing in companies.

[00:18:15] Elizabeth McEvoy: And by virtue of those activities are gaining access to data, whether it's in the due diligence space or whether it's as part of their investment in rights. Certainly, again, the key word here, you'll hear us say it over and over again, is access. So anytime a company is gaining access to personal data and you are dealing cross border in the volumes that are covered by this rule, you really have to think closely about where your end users are.

[00:18:39] Elizabeth McEvoy: Are they in those countries of concern, are they otherwise covered persons, or are your partners in those non-countries of concern able to share access down the line, and what does that look like for you as the investing company sharing that initial access? So, I just want to stress that I think access is really the name of the game.

[00:19:00] Elizabeth McEvoy: And so we see a lot in the private equity, in the transactional space, a need for companies, whether you're the acquiring company, the company getting acquired, or investing, to really understand where these lines are drawn and can understand, again, going back to the points Elena just made, know the volumes of the data, know the types of data and know where it's going.

[00:19:19] Elizabeth McEvoy: I don't think there's often a huge visibility through the lifecycle of data. And to your point, Laura, data mapping. People are more focused on the immediate transactions, and that's certainly not what the rule says, and I think this rule is a very intentional attempt by the US government to put some national security emphasis around the idea that Americans can't just send out their data to the world in a way that it can be picked up by these potential adversaries and foreign adversaries and used to, you know, threaten national security. So really kind of understanding it in the transactional context, understanding that it's not just ownership, it can also be investment, and that access really means the ability to access, not just access itself.

[00:20:03] Elizabeth McEvoy: Whether it's logical or physical, it's just the ability to obtain, read, decrypt, decode, or in any way alter data. That is the trigger here. So it's something that I think really does warrant a close look in the transactional space. A few other areas where I see the BSD rule having particular significance, the first is certainly in genomics.

[00:20:23] Elizabeth McEvoy: The threshold of 100 US persons is very low. And here is a good place to emphasize that we are often talking about transactions because that's the most direct way the rule is written, but the rule is very clear that companies also have to take stock of their data activities going back 12 months.

[00:20:42] Elizabeth McEvoy: Now, it is not your collective cumulative transactions for 12 months, so everyone can, you know, kind of avoid that quick heart attack. But what they're looking at is over 12 months, if a company has been, you know, intentionally or otherwise sharing data about the same US person with the same country of concern or foreign recipient, if we're looking at it more broadly, that can still cross the threshold.

[00:21:05] Elizabeth McEvoy: So again, looking at the genomics industry, you very well may be working through legitimate business operations and come across that threshold in the course of 12 months. So those industries really, I think, have to understand their business operations and, you know, their clientele and just simply understanding where those thresholds fall. And understanding it in a way that allows them to navigate around potential inadvertent non-compliance.

[00:21:33] Elizabeth McEvoy: There's also some additional considerations for digital health and wearable industries. Again, picking up large volumes of data and where those data are being stored, oftentimes, again, going back to access. Are they being stored in a cloud server that has the ability to be accessed by a vendor in one of those countries, is really important to understand kind of the flow there because they're often dealing in high volumes of data.

[00:21:58] Elizabeth McEvoy: We also see this in insurers and health plans. You know, we don't always talk about them as squarely as dealing in data as currency, but of course they're collecting very high volumes of data about many different US persons, and there's a lot of cross border and international collaborations, whether it's by virtue of technology or otherwise, call centers being outsourced to different countries. It's important to understand where the flow of data is going and how it's being done, and just another kind of red flag moment. A lot of organizations may say, listen, we understand whenever we are doing any cross border work, we're always de-identifying data.

[00:22:35] Elizabeth McEvoy: And just to go back to something that was a point already made. That's not sufficient in most contexts under the BSD rule. The BSD rule is looking at a much different set of technical compliance measures. And again, you have to still fall within a certain category of covered transactions to simply even be able to follow those compliance measures.

[00:22:53] Elizabeth McEvoy: So it's important around the education piece as much as anything that these industries with a higher risk understand that the risks are new. And they require additional, if sometimes not brand new analyses. And then I'll just end kind of with a point that goes beyond necessarily the health care and life sciences sector, but for national employees, board members and contractors.

[00:23:15] Elizabeth McEvoy: You know, we live in a very international world right now. A lot of things are done remotely and a lot of people are, you know, working in countries where they do not reside. And in this instance, because there's a potential for US sensitive data to be shared in the normal course of business operations, it's important for organizations in any industry to really understand what data is leaving their industry and going to which country and what that looks like. Right? Who's the end user? How are we protecting, if at all? And I think we see a very tangible example in board members. There are very sophisticated board members globally, and oftentimes companies may have a board member who sits in one of those countries of concern.

[00:23:55] Elizabeth McEvoy: Maybe they reside there, but they don't work there. You know, there's countless iterations, and when that happens the companies do have to take a very close look at what entitlement a board member may have to data, even if it's not that they're using it on a day-to-day basis, but they're making high level decisions.

[00:24:13] Elizabeth McEvoy: The ability to technically access data may run afoul. So there's a, you know, endless list of these iterations of how the rule can sneak up on you, but those are just a few to flag when we think about kind of where the exposure could be great as we sit here today.

[00:24:28] Laura DePonio: I think we all have a much better understanding of the scope, but the first question oftentimes, at least, we all get from clients is, okay, but how much do I actually need to worry about this? So Elena, let's talk about enforcement. We know the grace period has ended. The rule is fully in effect, yet there is still a lot of uncertainty about what enforcement actually looks like or actually will look like. You both have deep experience in the regulatory enforcement space. Can you speak at a high level, Elena, about how enforcement under the rule is structured?

[00:25:07] Elena Quattrone: Sure. Yeah. So enforcement authority sits with DOJs National Security Division, which this is important because it sort of sits at the intersection of law enforcement, intelligence, and national security policy. But its main enforcement arm is inside the Department of Justice. And it's not often, I think, that we see this level of oversight, and even though the focus of the BSD rule is on these six countries of concern, as we said, you know, the implications of the rule go beyond those six countries of concern depending on the flow of data.

[00:25:38] Elena Quattrone: So yeah, you know, the impact is great. But since the BSD rule is so new, first annual reports were only due on March 1st of this year, as Liz mentioned. And, you know, because it's so new, there has been no formal DOJ enforcement actions under the rule that at least have been publicly announced as of early 2026.

[00:25:59] Elena Quattrone: And again, the grace period for the rule only ended in July, 2025. So we're really at the early stages of seeing what enforcement will actually look like here. And we're reading tea leaves a bit to anticipate what enforcement action will look like in the future. But importantly the DOJ'S compliance guide notes that internal audits can be used as evidence against a company in an enforcement action. Therefore, the auditing and reporting requirements that just went into effect are important for companies to take note of and to undertake, to ensure compliance with the rule. Because you don't know when, you know, when DOJ will come knocking, when there might be some enforcement action taken.

[00:26:39] Elena Quattrone: This means also that a poorly designed or incomplete audit can become Exhibit A for the government, which is why it's important to start thinking about, you know, your compliance policies. And as we said earlier, creating auditable programs now to ensure you're in compliance with the rule. Notably, there are penalties promulgated under the rule, including civil and criminal penalties.

[00:27:01] Elena Quattrone: The civil penalties are up to the greater of $368,136 or twice the value of the violating transaction. And willful criminal violations are up to 1 million and/or up to 20 years imprisonment. So we're talking about very real implications for violations and this is something that I think companies should be aware of.

[00:27:26] Elena Quattrone: But, you know, outside of DOJs context, you know, there's other enforcement vectors that are worth thinking about depending on the situation. So, you know, as we've referenced earlier, if you're operating in the M&A space, compliance with the BSD rule could become important with regards to due diligence.

[00:27:44] Elena Quattrone: You know, acquiring a non-compliant company could could create successor liability or liability risk later on. There's also potential whistleblower exposure here. Employees and competitors who become aware of violations may report that directly to DOJs National Security Division. Institutions that are receiving federal funding may also have additional exposure, especially under the Federal False Claims Act, which imposes liability of up to three times the government's actual damages, and critically includes a qui tam provision that allows private whistleblowers to file suit on the government's behalf and share in any recovery. So the implications for violations of the rule are vast and not limited to just what's implicated or I guess promulgated directly under the rule.

[00:28:28] Laura DePonio: You know, what about outside of the regulatory enforcement space? You know, especially over the last five years or so, a little bit longer than that I suppose, is we know that there has been a lot of private civil litigation coming out of data protection, alleged data protection violations.

[00:28:49] Laura DePonio: And so we know that this rule doesn't create a private right of action itself, but can either of you speak to, you know, sort of reading the tea leaves, what we think or what we're already seeing about how this is going to show up in other spaces?

[00:29:04] Elizabeth McEvoy: I will say the plaintiff's bar has not missed a beat with this new privacy related rule.

[00:29:09] Elizabeth McEvoy: So as Elena just walked through, when we think of DOJ rules, we typically think of civil and criminal enforcement. And here there's certainly significant civil fines and penalties and there's potential for criminal enforcement and imprisonment up to 20 years. So both of those tools are readily available to the government.

[00:29:27] Elizabeth McEvoy: But what we've seen most immediately, which you know, may surprise some though, I think, folks who have followed kind of HIPAA litigation are less surprised, is that there is a real leveraging of the BSD rule to overcome some obstacles in bringing class action civil suits based on privacy and alleged kind of privacy related violations.

[00:29:48] Elizabeth McEvoy: So to back up a moment, the BSD rule, the reason we speak so much and so heavily emphasize government enforcement is because there is no private right of action. So I cannot sue Elena for her actions violating the BSD rule. It's simply not available to me, and it's not going to be a viable theory that would pass muster under a court's pleading standards.

[00:30:09] Elizabeth McEvoy: But, and that is similar to HIPAA, which is, you know, another privacy based rule, and I think another place where folks have had grievances about the way their personal data have been handled. So beginning last fall, shortly after the rule became fully effective with Subpart D, we saw a number of class actions take off.

[00:30:29] Elizabeth McEvoy: And the class actions themselves were largely brought, if not exclusively, under the Electronic Communications Privacy Act. So we expect to see many more of these and possibly other parallels similar to the ECPA, where the BSD rule will provide some favorable advantage in terms of pleading theories, but certainly an area of civil liability that is near and dear to the BSD rule and really providing a mechanism for willing plaintiffs to avoid being thrown out of court for not having a private right of action and finding a private right of action in a different law.

[00:31:06] Laura DePonio: Yeah, it's interesting. I think it's, if anyone has further interest, worth looking at a few of the complaints to see how, you know, damages are framed up in those, even just state law privacy cases, it seems like it could provide a pretty clear, to your point, playbook about how this is going to look for the plaintiff's bar.

[00:31:27] Laura DePonio: You know, and sort of a similar but, you know, point that you had mentioned about exemptions. You know, Elizabeth, we do a lot of work with organizations in the research space. Can you talk about some of the things that we've been keeping an eye on vis-a-vis the relevant exemptions under the rule? I think that the inclination would be to read those broadly. And can you talk about some of the scenarios where that enforcement risk could materialize that institutions should be keeping an eye on?

[00:31:58] Elizabeth McEvoy: Yeah, absolutely. So there's kind of three main exemptions that clinical and academic research organizations should keep an eye on.

[00:32:06] Elizabeth McEvoy: The first, maybe the most important in the academic space, which is there is an exemption, fairly broadly worded, for research and data sharing activities that are conducted pursuant to US official business. So specifically in the rule, grants and contracts with a federal agency or department are included within the scope of official US business.

[00:32:26] Elizabeth McEvoy: So only those federal research activities that are specifically authorized in the notice of award are going to be exempt. So to give this like a practical lens, if the grant terms and conditions, or the notice of award terms and conditions, specifically require the US organization to share their, we'll call it genomic data, some sort of, you know, qualifying sensitive data with China, and particularly with… put it into a particular database. If that's written into the terms and conditions, you have a very good defense that you are doing exactly what NIH or another research organization authorized you to do. So you might fall, and I would say you have a strong argument to fall within that US official business.

[00:33:37] Elizabeth McEvoy: But if there is another part of your collaboration that may be fully permissible otherwise under different regulations, or may be contracted for among the collaborators where the federal grant doesn't specifically authorize it, so for example if you have private foundation money and a federal grant money and the investigators are going to be using, you know, a database that has access to the Chinese collaborators or access to the Russian team, then you would not have the black and white kind of clear exemption coverage under the US official business exemption. And you would have to otherwise look at the BSD rule and be compliant with the various guardrails there about how that particular class of data are being shared and at what volume.

[00:34:24] Elizabeth McEvoy: So it is nuanced, and I think academic research, even with federally funded research, is often very complex in terms of having multiple collaborators and data being shared and accessed across different countries and different platforms. So this adds, I think, a new consideration and one that should be considered upfront because obviously the ability to access data is incredibly significant to any research collaboration. And you don't want to have, you know, your legal team, your compliance team telling you as you’re about to enroll patients that you can't use the well-vetted structure that's already been put in place. So that's a key one, I think, to understand around, particularly, you know, federally funded research.

[00:35:04] Elizabeth McEvoy: Because there is a high volume of that in the United States. The other two that I think are also incredibly important fall under kind of loosely our clinical trial and clinical approval exemptions. So there's two different exemptions that come up often when we are looking at sophisticated research infrastructures and trying to understand if the flow of data would be permissible under the BSD rule. The two are 202-510 and 202-511. So 510 is the one that covers drugs, biologic devices, and combination products. So this is often where you are sharing data for the purposes of making a submission to a regulatory body to get a device approved to show, you know, quality data about any kind of investigational drug or device.

[00:35:49] Elizabeth McEvoy: And it also includes maintaining, right, the renewals under those particular categories. And importantly for this particular exemption, 510, it also includes, as written, sharing information with a foreign country, including in those countries of concern, if it is necessary for the approving body to make their decision.

[00:36:08] Elizabeth McEvoy: So if you are trying to get a drug approved in, I'll use China because there is a lot of research in China, and the Chinese equivalent of the FDA is requiring certain data to be shared. You, again, have a pretty good argument that you're falling within exemption 510, but if you are just using a local CRO in China, and it's not quote necessary for the regulatory approval process as written, you're going to have a harder time coming within 510 if that transaction is with a country of concern.

[00:36:36] Elizabeth McEvoy: So to reiterate, when we're looking at the exemption 510, it is an important exemption as it applies to drugs, investigational devices, and the like. Again, allowing these clinical processes to continue and allowing the regulatory processes as written to play out. But it is critical that any organization taking advantage of these exemptions both understand what the process directly entails and how the regulations are written, and be prepared to justify why data sharing in each of the contexts where data is being accessed by a country of concern, why it is necessary to the approval process.

[00:37:14] Elizabeth McEvoy: And I would also just flag, as well, if you are relying on exemption 510 in particular, there are certain additional reporting requirements. So just to be, you know, very much aware, because it is a very significant and widely relied upon exemption. The third exemption that is really highly relevant to research organizations is 511, so it's the second half of our clinical trial exemptions.

[00:37:36] Elizabeth McEvoy: This one covers bulk data transactions that are incident to or part of the FDA required investigations. As well as post-market surveillance studies. So this is, I think, an area where there is a lot of work right now to understand, you know, how devices are playing out in the market, how we can continue getting data to get products cleared into market, and they're, you know, on its face, 511 allows those activities to proceed even if personal sensitive data are being shared with countries of concern. Again, I think there is some, you know, you want to be careful not to read the incident-to language too broadly, you know, the FDA process has a lot of spokes that come from it, and there's a lot of operational ways that people prepare data for the FDA process that are not quote FDA required.

[00:38:18] Elizabeth McEvoy: So I would just make sure if you're taking advantage of that, that you do take a close look at the process and make sure you're comfortable that each and every one of these transactions where data has… may be accessed by a covered person is, you know, incident to, and certainly part of the FDA requirements.

[00:38:39] Elizabeth McEvoy: But again, a very helpful exemption. One that shows us that in some ways, the National Security Division, it means what it says when the preamble claims they don't want to interrupt, the government doesn't wanna interrupt the existing frameworks for some of these collaborations and data sharing regimes.

[00:38:55] Elizabeth McEvoy: So it is helpful to know that the FDA, in some ways, the FDA requirements do trump the BSD rule limitations, but there is some interplay there.

[00:39:05] Laura DePonio: So we've covered a lot today, and I think established that we may have all spent way too much time reading this rule at this point. But I want to make sure that our listeners sort of walk away with something practical that they can do, you know, today, this week, next week, this month. So for health care and life sciences organizations that might just be starting to think about this rule, or realizing that they have some blind spots based on what we discussed today, you know, Elena, what are some of the first steps or the first steps that you would recommend an organization take right now?

[00:39:45] Elena Quattrone: Yeah. So I think, you know, hearing this, our presentation today, as Laura said, I think we shared a ton of information and there's a lot to digest here, but I think we can sort of distill this down into three broad categories. The first being, you know, a phrase that you've heard throughout this presentation, is know your data and know your vendors, know your counterparties.

[00:40:03] Elena Quattrone: Start with a data mapping exercise that specifically asks and examines, are we transferring health, genomic, biometric, or geolocation data to any foreign person or entity? And if so, trace the ownership of that entity all the way up the chain, assess the volume of that data, assess the frequency, and really sort of go through that mapping exercise to assess what your risk is here, whether the BSD rule is triggered, and, you know, how you can reach compliance with the rule and what's required if you hit those thresholds. Secondly, you know, there's this theme that, you know, HIPAA compliance, especially thinking about health care related entities, HIPAA compliance is not enough here.

[00:40:46] Elena Quattrone: And assuming your vendors are domestic because they have a US address is not enough here, right? You really have to do a deep dive into relationships to see, you know, again, going back to our data mapping exercise, to examine that flow of data to see where it goes. To really look at, you know, that flow. Finally, don't assume an exemption will save you without doing this analysis, especially if you're in research, whether you're a sponsor, a CRO, an academic institution.

[00:41:17] Elena Quattrone: Take the steps now to get your compliance program in order. That is before a grant application, a sponsor agreement or a regulatory submission service is the issue for you. The best way to be prepared is to get prepared now because down the chain might look something different, and you don't want to get yourself caught in crosshairs.

[00:41:37] Laura DePonio: I think that's, you know, really actionable advice and I think a great through line for everything that we've talked about today. Which is, bottom line, that this isn't a rule that can be deferred. The grace period is over. Enforcement is live. We're not, you know, just in the world of hypotheticals at this point.

[00:41:56] Laura DePonio: So Elizabeth and Elena, thank you both so much. I expect that at least some of our listeners may have some follow-up questions. For those of you that want to go deeper, I'd encourage you to check out EBGs published resources on this topic, including, you know, some of the roadmap pieces, a hundred day update from October, and the materials that Liz and Elena mentioned earlier on the podcast. And so with that, thank you so much.

[00:42:21] Elena Quattrone: Thank you, Laura. Thanks, Liz.

[00:42:22] Laura DePonio: Thank you, Laura.

Navigate BSD Transfer Rule Compliance with Confidence

Our team has developed specific tools and advisory services to help organizations like yours understand their obligations under the BSD Transfer Rule, assess risk, and implement compliant data practices. Check out our free resource center.

In Case You Missed It

FDA Meeting Invites Stakeholders to Weigh in on Dietary Supplement Ingredients

Health Care Workplace Violence Legislation Heats Up in 2026

California Targeted in House Committee Investigation of Hospice Fraud

About the Diagnosing Health Care Podcast

The Diagnosing Health Care® podcast series examines the business opportunities and solutions that exist despite the high-stakes legal, policy, and regulatory issues that the health care industry faces.