Ropes & Gray’s health care partner, David Peloquin, spoke with Bloomberg Law on the additional DOJ instructions regarding the Biden-era Executive Order 14117. DOJ has provided clarity surrounding the effective date for enforcement, with a promise to delay any enforcement efforts until July 8 for companies that show “good faith efforts to comply.” David noted that this guidance “allows compliance officers, privacy officers, those within companies working on this, to really get the resources they need.” To read the full article click here, and to read the Ropes & Gray client alert detailing the additional guidance, click here.

On April 11, 2025, the Department of Justice (“DOJ”) released additional detail regarding the Final Rule implementing former President Biden’s Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “Final Rule”), which went into effect on April 8, 2025. The release included additional guidance, frequently asked questions, and an enforcement policy for the first 90 days. Much of the material re-articulated language in the Final Rule, but the release did include some notable new information for organizations assessing their compliance, key points of which we summarize below.

Earlier this year, Ropes & Gray published an Alert providing an overview of the Final Rule, material changes from the DOJ’s Notice of Proposed Rulemaking (“NPRM”), and guidance on steps organizations should take to come into compliance. (Ropes & Gray also published Alerts on the NPRM and the Advance Notice of Proposed Rulemaking).

To read the full Ropes & Gray client alert, click here.

Today, the Department of Justice’s (“DOJ”) Final Rule implementing former President Biden’s Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “Final Rule”) took effect.

Earlier this year, Ropes & Gray published an alert providing an overview of the Final Rule, material changes from the DOJ’s Notice of Proposed Rulemaking (“NPRM”), and guidance on steps organizations should take to come into compliance. (Ropes & Gray also published alerts on the NPRM and the Advance Notice of Proposed Rulemaking).

If they haven’t already, organizations should evaluate their obligations under the Final Rule and make compliance changes accordingly.

In an International Association of Privacy Professionals (IAPP) article, health care partner David Peloquin and data, privacy and cybersecurity associate Jake Barr along with Legend Biotech Chief Privacy Officer and Assistant General Counsel Corey Dennis discuss the landmark rule limiting sensitive data transfers to “countries of concern.” The article reviews key aspects for health care and life sciences companies, key exemptions, and best practices to ensure compliance. To read the full IAPP article click here.

The Trump Administration’s recent AI pronouncements decry “ideological bias or engineered social agendas” as antithetical to continued American AI leadership. Executive Order 14179, repealing prior Biden Administration Executive Order 14110 on AI safety, reflects that theme and so does Vice President Vance’s speech at the February 11 Paris AI summit. “We feel very strongly,” Vance remarked, “that AI must remain free from ideological bias.” The Trump Administration’s view appears to be that overzealous regulation, likely including nondiscrimination, safety, and transparency regulation, puts American AI development at a disadvantage. The release of DeepSeek undoubtedly reinforces such concerns. As White House Press Secretary Karoline Leavitt put it, “[DeepSeek] is a wake-up call to the American AI industry.”

Continue Reading Trump’s New AI Executive Order: Navigating the Conflicting Poles of AI Regulation

In 2024, financial sector regulators prioritized cybersecurity issues impacting financial institutions and the public. Key U.S. federal agencies—including the Securities and Exchange Commission, Federal Trade Commission, and the Consumer Financial Protection Bureau—have been joined by state regulators such as the New York Department of Financial Services in significant new federal and state regulations and more robust and novel enforcement actions. This trend is expected to continue in 2025 as the rise of digital transactions and advent of AI introduce additional risks and cyberattacks become increasingly complex and prevalent.

Click here to read the full Ropes & Gray client alert.

On January 22, 2025, the New York State Assembly and Senate rapidly passed the wide-ranging New York Health Information Privacy Act. If not vetoed by Governor Kathy Hochul, NY HIPA would be the fourth enacted state consumer health data privacy law, following the Washington My Health My Data Act, Nevada SB 370 and the Connecticut Data Privacy Act. Importantly, NY HIPA could have a significant impact on companies across the country that collect or process health information of New York residents.

Click here to read the full Ropes & Gray client alert.

The U.S. Department of Justice (DOJ) announced last Wednesday that settlements and judgments under the False Claims Act (FCA) exceeded $2.9 billion in fiscal year 2024—up approximately 5% from last year. DOJ’s announcement underscores its commitment to FCA enforcement, particularly in the healthcare industry and now with increased activity in the areas of pandemic relief programs, military procurement, and cybersecurity.

Click here to read the full Ropes & Gray client alert detailing the key takeaways from DOJ’s press release, along with our key insights as companies try to anticipate what lies ahead.

In December 2024, New York Governor Kathy Hochul signed into law two bills (A8872A and S2376B; collectively, the “Bills”) that amend New York’s Data Breach Notification Law.1 The Bills introduce a maximum thirty-day timeframe for notifying affected New York residents of a reportable “breach of the security of the system”2 under state law (a “Data Breach”), require Data Breaches to be reported to the New York State Department of Financial Services (“NYSDFS”), and add medical information and health insurance information to categories of private information that may be subject to a Data Breach. According to their legislative history, the Bills were introduced in order to address “a broad sense of uncertainty by experts and lawmakers as to which federal regulations, if any, [are] charged with the responsibility to monitor and do regular supervision on cybersecurity.”3 While the Bills are likely to have a limited effect on HIPAA covered entities and business associates, they stand to significantly impact other persons and businesses in New York, including life sciences and consumer health care companies that are not subject to HIPAA.

Click here to read the full Ropes & Gray client alert.

In December 2024, the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (“ASTP/ONC”) within the U.S. Department of Health and Human Services (“HHS”) published two final rules that establish health data interoperability and information blocking regulations (the “New HTI Final Rules”).

The New HTI Final Rules will affect Trusted Exchange Framework and Common Agreement (“TEFCA”) qualified health information networks (“QHINs”) and health care organizations that exchange data through QHINs, as well as developers of certified health information technology, health information exchanges and networks, and health care providers (collectively, “Actors”) that are subject to the Information Blocking Rule.

Click here to read the full Ropes & Gray client alert which summarizes key provisions of the New HTI Final Rules.