Preventing Unauthorized Access to U.S. Sensitive Personal Data and Human Biospecimens

“Countries of concern” are nations that have been identified by federal regulators as posing a heightened risk to the security of the United States and/or safety of U.S. persons due to their government’s efforts to access and exploit U.S. sensitive personal data or U.S. Government-related data. For the purpose of preventing unauthorized access to U.S. sensitive personal data and human biospecimens, reference this list of “countries of concern.”

A covered person(s) is an individual(s) or entity subject to restrictions under federal regulations, such as the Department of Justice’s (DOJ) Bulk Data Rule (BDR)(28 CFR Part 202 ), which prohibits or restricts their ability to engage in certain categories of data transactions with U.S. persons involving bulk sensitive personal data or U.S. Government-related data.

 “Covered Person(s)” may include any of the following:

• Foreign entities (organizations, companies, universities, etc.) owned/controlled by countries of concern
• Individuals residing in or employed by entities in countries of concern
• Contractors, vendors, or researchers affiliated with such entities

The National Institutes of Health (NIH) establishes restrictions on the transfer of U.S. person’s biospecimens under the NIH Policy on Enhancing Security Measures for Human Biospecimens (NOT-OD-25-160).

Human biospecimens are any quantity of tissue, blood, urine, or other human-derived material. A human biospecimen can comprise subcellular structures, cells, tissue (e.g., bone, muscle, connective tissue, and skin), organs (e.g., liver, bladder, heart, and kidney), blood, gametes (sperm and ova), embryos, fetal tissue, and waste (urine, feces, sweat, hair and nail clippings, shed epithelial cells, and placenta). Human biospecimens include those that are isolated and propagated into new cell lines. The term also includes cell lines for which an agreement is in place to commercially or publicly make them available, but for which the cell lines have not yet been made commercially or publicly available.

Institutions or entities that hold human biospecimens of U.S. persons collected, obtained, stored, used, or distributed using on-going or new NIH funds as of October 24, 2025 are prohibited from directly or indirectly distributing those human biospecimens to other institutions or parties located in countries of concern.

Exemptions

Human biospecimens may be shared or distributed to countries of concern only under limited circumstances:

1. Legal and Regulatory Compliance: if the use is required or authorized by Federal law or funding agency grant/contract, or international agreement, or is necessary to comply with applicable Federal laws, regulations and policies.
2. Rare and Compelling Scientific Need: the use is needed where the facility and personnel in a country of concern possesses unique capabilities or expertise not available elsewhere; the use cannot be delayed buntil such capabilities become available elsewhere. Use must be conducted with the informed consent of the individual from whom the biospecimen was collected.
3. Individual Request for Clinical Use: the biospecimen is requested by the individual from whom it was collected, obtained, or stored using NIH funds, for purposes of diagnosis, prevention, or treatment of that individual, and in compliance with applicable Federal laws.
4. Secondary Use: the biospecimen-derived materials were already accessible to the public or commercially distributed before the NIH policy took effect (October 24, 2025), and NIH funding was used in their handling.

Please contact the Export Control team if you are considering transfer of any such human biospecimens internationally. NIH requires all entities retain documentation related to sharing or distributing biospecimens to countries of concern under one of the allowable limited circumstances and further document the quantity and content of the biospecimen material that was shared or distributed. Documentation must be retained and provided to NIH upon request.

The BDR establishes restrictions on the transfer of sensitive personal data when it is shared in quantities considered “bulk.” These limits apply even when the data is anonymized or de-identified due to the risk that such data could be re-identified or weaponized by malicious actors.

The BDR applies when the volume of shared data (even in aggregate) meets or exceeds specified thresholds within a rolling 12-month period. These thresholds vary by data type as noted below. 

Sensitive Personal Data and their thresholds include:

• Genomic and other ‘omic data, including DNA sequences and data derived from biospecimens (such as proteomic, transcriptomic, or epigenomic information).
  • Threshold: ≥100 U.S. individuals
• Biometric data, such as fingerprints, facial images, retinal scans, and voiceprints.
  • Threshold: ≥1,000 U.S. individuals or devices
• Precise geolocation data, including GPS coordinates or device — based location tracking.
  • Threshold: ≥1,000 U.S. individuals or devices
• Personal health data, such as diagnoses, test results, treatment information, or insurance data.
  • Threshold: ≥10,000 U.S. individuals
• Personal financial data, including banking, credit, income, or tax — related records.
  • Threshold: ≥10,000 U.S. individuals
• Covered personal identifiers, such as Social Security numbers, passport numbers, driver’s license numbers, or device identifiers.
  • Threshold: ≥10,000 U.S. individuals

A transaction that provides access to bulk sensitive or government-related data by a Covered Person or Country of Concern is subject to the BDR.

A transaction becomes covered when it meets all three of the following conditions:

1. It involves U.S. sensitive personal data (as previously defined),
2. the amount of data meets or exceeds the noted bulk threshold, and
3. the recipient is a covered person (a person or entity subject to the jurisdiction, ownership, direction, or control of a country of concern).

There are four types of prohibited transactions:

• Data Brokerage: A U.S. person is prohibited from engaging in data brokerage (e.g., sale or licensing of data) involving access by a covered person or a country of concern to bulk U.S. sensitive personal data or government-related data.  
  • Example: A hospital research program licenses de-identified or anonymized electronic health records (EHR) from 20,000 patients to a third-party research company headquartered in a country of concern.
• Vendor Agreements: An agreement in which any person provides goods or services to another person, including cloud-computing services, in exchange for payment or other consideration involving access to bulk sensitive data by a covered person or entity, unless the recipient complies with specified cybersecurity safeguards (such as Cybersecurity and Infrastructure Security Agency -CISA- standards).
  • Example: A research lab uses a data-visualization platform hosted on servers located in Russia to analyze biometric data from 2,000 individuals.
• Employment Agreements: A U.S. person is prohibited from entering into an employment agreement that gives a covered individual access to bulk sensitive personal data.
  • Example: A research team hires a remote data analyst residing in Iran to manage longitudinal survey data from 12,000 U.S. participants.
• Investment Agreements: An agreement that grants a covered person ownership rights to real estate within the United States or a U.S. legal entity for access to sensitive datasets or infrastructure.
  • Example: An investigator working on pediatric genomics receives investment from a venture fund based in Hong Kong. As part of the investment, the fund gains access to the company's genomic dataset of 250 individuals.

Some exemptions may apply to the prohibitions and restrictions of the BDR:

• Personal Communications
• Information or Informational Materials
• Travel
• Official U.S. Government Business
• Financial Services
• Corporate Group Transactions
• Transactions required or authorized by Federal law or international agreements, or necessary for compliance with Federal law
• Investment agreements subject to a Committee on Foreign Investment in the United States (CFIUS) action
• Telecommunications Services
• Drug, biological product, and medical device authorizations
• Other Clinical Investigations & Post-Marketing Surveillance Data 

To assess whether an exemption applies to your transaction or collaboration, please contact the Export Control team.

Where transactions involve sensitive personal data and international collaboration, please contact Export Control or Research Data Compliance teams for guidance.  Together, we can assess the transactions involved for compliance risks under the BDR.  

Please find our Bulk Data Access Rule (“BDR”) Decision Tree here to help guide your risk assessment.

Tracking Data Volumes and Bulk Thresholds

Researchers must also understand and track cumulative data transfers to any foreign entity over a 12-month period:

• Data volume is counted per type (e.g., 100+ for genomic, 10,000+ for health)
• Small, repeated transfers count toward the total
• Even de-identified data must be tracked

Maintain internal logs of:

• What was shared
• With whom
• When
• For what purpose

Establish Necessary Transfer Agreements

Researchers must ensure Data Use Agreements, Material Transfer Agreements, and/or other applicable research agreements are appropriately in place prior to the international transfer of data and specimens for research purposes, and that samples received by the Medical Center with further sharing restrictions are appropriately tracked and managed.

Please contact Export Control or Research Data Compliance directly with any questions. 

There are significant legal and enforcement consequences for violations of the NIH Policy on Enhancing Seuciryt Measures for Human Biospecimens and the BDR, including potential civil and/or criminal penalties.  Please contact the Export Control team  directly with any suspected violations or questions.

The Medical Center must make every effort to identify suspected or actual violations that occur in conjunction with its export activities. All known or suspected export compliance problems should be documented as soon as possible.

Timeliness of reporting is a key issue, since export violations are evaluated not only in terms of their content, but also frequency of occurrence, and system-wide implications.

Additionally, the Medical Center maintains a range of reporting options, including a telephone hotline (1.833.416.6297), and an online Web Reporting Hotline System for confidential reporting of concerns about compliance with applicable laws, rules, regulations, and policies at the Medical Center.

Lurie Children’s Contacts

• Exportcontrol@luriechildrens.org
• Researchcompliance@luriechildrens.org

Resources

• Lurie Children's Export Control and International Activities Policy
• Classification and Handling of Data Policy
• Bulk Data Rule: 28 CFR Part 202
• Executive Order 14117
• NOT-OD-25-160: NIH Policy on Enhancing Security Measures for Human Biospecimens
  •    File Sharing and Storage Guidance