At a Glance

• Montana recently enacted its Genetic Information Privacy Act (MT GINA), which prohibits companies from storing genetic data and biometric samples in any country that has been sanctioned by the Office of Foreign Asset Control (OFAC) or designated a foreign adversary under 15 C.F.R. § 7.4(a).
• Florida’s S.B. 264 requires “health care providers” under Florida law to store “patient information” in the continental U.S. or Canada, and provides that any health care license application or renewal under Florida law must include an attestation of compliance.
• The Biden administration recently promulgated an executive order aimed at curbing “countries of concern” from accessing sensitive data, including American health data. It prohibits certain transactions in which sensitive data could be shared with “countries of concern.”

As privacy laws continue to proliferate in the U.S. and globally, there is one trend that companies, especially those operating in the health and pharmaceutical sectors, can no longer overlook. This is the trend towards data protectionism at the state and federal levels.

The localization trend arguably began in 2007, with a memorandum by the Centers for Medicare & Medicaid Services (CMS). The memorandum, Sponsor Activities Performed Outside of the United States (Offshore Subcontracting), requires Medicare Advantage Organizations (MAOs) and prescription drug plan (PDP) sponsors to make attestations regarding how these organizations share protected health information (PHI) with contractors located outside of the United States. Specifically, the memo requires sponsors to attest to the types of PHI that may be shared with offshore subcontractors as well as the contractual safeguards and auditing procedures that are in place to protect such data.

The Offshore Subcontracting memo was an attempt to address what CMS viewed as the “unique risks” associated with the flow of Americans’ PHI to other jurisdictions — namely, that foreign governments could access American health data for nefarious purposes. Since the memo was adopted, companies throughout the health care space have incorporated the required attestation in their data sharing agreements or have restricted the flow of certain types of data outside of the U.S. altogether.

Today, concern about the extent to which foreign governments can access American health data is once again driving change in the law governing data flows. But this time, the action is at the state and federal levels. Montana recently enacted its Genetic Information Privacy Act (MT GINA), which creates a broad set of protections for genetic information and biological samples. Critically, MT GINA prohibits companies from storing genetic data and biometric samples in any country that has been sanctioned by the Office of Foreign Asset Control (OFAC) or designated a foreign adversary under 15 C.F.R. § 7.4(a).¹

The state of Florida also adopted legislation that restricts health data flows, but with a much larger scope. Indeed, Florida’s S.B. 264 requires “health care providers” under Florida law to store “patient information” in the continental U.S. or Canada. Fla. Stat. Ann. § 408.051(3). The Florida law also provides that any application for a health care license (or the renewal of such a license) under Florida law must include an attestation of compliance with the above. This requirement can be expected to hasten health care providers’ review and removal of patient information from foreign servers, given that obtaining or renewing a license is conditional upon doing so. As we saw with the CMS guidance in 2007, privacy professionals can expect data sharing agreements to include special prohibitions on the offshore storage of Florida patient information.

Last week, the Biden administration promulgated an executive order aimed at curbing “countries of concern” from accessing sensitive data, including American health data. Unlike the Florida and Montana laws, the executive order does not regulate where data can be stored. Rather, it prohibits certain transactions in which sensitive data could be shared with “countries of concern.” If you are interested in learning more about the executive order and its possible impact on your business, we encourage you to read our client alert on the topic.

Conclusion

Recent developments at the state and federal levels reflect a growing concern about the extent to which foreign governments can access American health data. These developments include data localization requirements in Florida and Montana, several enforcement actions brought by the FTC, and a recently finalized executive order from the Biden administration. Companies operating in the health care space need to act now to ensure that appropriate contractual and technical safeguards are in place to adequately protect American health data.

FOOTNOTES

1. As of writing, there are six countries that are designated “foreign adversaries”: China, Cuba, Iran, North Korea, Russia and the Maduro Regime of Venezuela. 15 C.F.R. § 7.4(a). There are an additional 17 countries under sanction by OFAC. See Office of Foreign Assets Control, Sanctions Programs and Country Information, OFAC.treasury.gov (last accessed: February 22, 2024).