Double exposure: navigating CFIUS and HIPAA compliance in an era of foreign investment in health data

Andrew Bochner

Bochner, New York

andrew@bochner.law

Bessie Frías

Bochner, New York

bfrias@bochner.law

Recent modifications to the Committee on Foreign Investment in the United States (CFIUS) regulations have expanded the US federal government’s scope of review regarding transactions involving foreign investors. Under the modified regulatory framework, CFIUS regulators may review transactions involving ‘TID’ businesses, ie, entities dealing in critical technology or infrastructure, and sensitive personal data. This change has uniquely affected healthcare M&A transactions involving foreign investors, whose calculus regarding transactional compliance risks has traditionally centred on compliance with federal healthcare laws such as the Health Information Protection and Accountability Act (HIPAA). This is especially true for healthcare M&A transactions that include sensitive healthcare data that may be treated as ‘sensitive personal data’ for the purposes of CFIUS compliance. Healthcare M&A lawyers and their clients may remain unbothered by the added compliance risk, given that the federal government already heavily regulates the healthcare industry. Yet it is worth noting that the requirements provided under CFIUS and HIPAA regulations, respectively, are often contradictory – thereby increasing the risk of non-compliance for private equity (PE)-backed healthcare M&A transactions involving foreign investors.

This article discusses how compliance with two distinct and contradicting regulatory frameworks, HIPAA and CFIUS, may pose a unique challenge for healthcare M&A transactions involving foreign investors. To contextualise the issue at hand, it considers a theoretical transaction: an investment fund that includes foreign investors aims to acquire a target entity whose assets include a healthcare platform wherein the protected health information (PHI) of more than 500,000 users is managed and stored. The foreign investors must now determine whether the transaction will trigger CFIUS compliance requirements while also ensuring that the target remains HIPAA compliant before, during and after the transaction has been consummated.

Two frameworks, one dataset: regulatory background

CFIUS is a federal interagency committee established in 1975 to review foreign investments in US businesses for national security risks. Accordingly, CFIUS has traditionally exercised oversight over transactions involving the defence sector, though recent amendments to CFIUS regulations indicate that the enforcement status quo is shifting. In 2018, recent CFIUS adopted the Foreign Investment Risk Review Modernization Act (FIRRMA), which expanded the Committee’s jurisdiction over foreign investments in US businesses to include non-controlling investments in companies dealing in sensitive personal data, including health data. The shift continues: in 2025, not long after FIRRMA’s enactment, the Department of Justice developed the Data Security Program (DSP) to specifically restrict transactions with foreign adversaries that involve bulk health data, irrespective of whether the health data has been de-identified, anonymised or encrypted. The federal government’s enactment and development of FIRRMA and the DSP are noteworthy for healthcare transactions because, beyond indicating that the federal government is willing to shift the status quo for CFIUS enforcement, these changes demonstrate that the federal government is willing to and is particularly concerned with regulating foreign investments in healthcare transactions involving sensitive healthcare data.

While CFIUS regulations may be a matter of first impression for healthcare deal lawyers, familiarity with the federal HIPAA regulatory framework is a necessary practice prerequisite for healthcare practitioners. The US federal government enacted HIPAA in 1996 to specifically regulate the use, storage, management and disclosure of PHI. Since then, the federal government has strictly enforced HIPAA regulatory requirements, and many states have adopted statutory analogues aimed at enhancing privacy and security protections for PHI at the state level.

Importantly, HIPAA’s impact in M&A has proved significant; parties to healthcare transactions often dedicate both time and money to regulatory due diligence aimed at assessing a target company’s policies and procedures regarding the use and disclosure of PHI to mitigate HIPAA non-compliance risks such as steep monetary penalties and criminal liability. Importantly, the federal government has provided exemptions to the HIPAA regulatory requirements, commonly known as HIPAA safe harbours, which have allowed M&A attorneys to structure transactions to avoid HIPAA compliance altogether. One such example is the de-identification safe harbour, which generally permits individuals to use, share and commercialise de-identified PHI and has been especially useful in transactions wherein the asset to be acquired is healthcare data.

Requirements versus reality: tension between laws

The American healthcare industry is heavily regulated: healthcare M&A lawyers are all too familiar with the difficulties of navigating state and federal legal frameworks during due diligence. Accordingly, healthcare M&A lawyers may not immediately be concerned with the possibility that expanded application of CFIUS regulations may require M&A lawyers to consider compliance with CFIUS, in addition to healthcare laws.

It is worth noting the existing tensions between HIPAA and CFIUS to appreciate the practical challenges clients may face in achieving compliance under each legal framework. To examine these tensions, we refer to the theoretical transaction described at the beginning of this article – an investment fund with foreign investors seeks to acquire a large healthcare platform containing PHI of over 500,000 users. As described, this transaction would require the investment fund to confirm not only whether the target is compliant with federal HIPAA requirements, but also whether the transaction will trigger CFIUS mandatory reporting requirements.

De-identification

The first, and most glaring, tension between HIPAA and CFIUS requirements relates to PHI; specifically, the use and disclosure of PHI. It is important to highlight that healthcare data is highly valuable and may, in some instances, be the most important asset in an acquisition. To this end, a buyer’s ability to use and disclose healthcare data may be a threshold question in determining whether a transaction is consummated.

HIPAA regulations permit the use and disclosure of de-identified healthcare data provided that the healthcare data has been de-identified in accordance with HIPAA requirements. The ‘de-identification’ rule has allowed healthcare investors to use and disclose healthcare information to realise certain business purposes without needing to comply with HIPAA regulations.

By contrast, the federal DSP implemented on 11 April 2025 under Executive Order 14117 establishes ‘export controls that prevent foreign adversaries, and those subject to their control and direction, from accessing US Government-related data and bulk US sensitive personal data.’ (Data Security Program: Compliance Guide, 1) Specifically, the compliance guide prohibits US persons from knowingly engaging in a covered data transaction involving the sale of data, licensing of access to data, or similar commercial transactions (collectively, ‘data brokerage’) with a country of concern or covered person (a ‘prohibited transaction).The DSP defines ‘bulk US sensitive personal data’ as including ‘a collection or set of sensitive personal data relating to US persons, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted, where such data meets or exceeds the applicable bulk threshold set forth in § 202.205.’ (Data Security Program: Compliance Guide, 3).

The DSP reserves the right to modify the meaning of ‘Covered Persons’[1] which modifications shall be published to the federal register. The Department has designated China, Cuba, North Korea, Iran, Russia and Venezuela as ‘countries of concern’ for the purposes of the DSP. In addition to prohibiting certain transactions, the DSP also restricts:

• transactions whereby a foreign investor may gain a right to access sensitive personal data by requiring that parties to such restricted transactions implement certain security measures to proceed with the transaction; and
• US persons from knowingly engaging in a data transaction involving data brokerage with foreign persons that are not covered persons, unless the US person (1) contractually requires that the foreign person refrain from engaging in a subsequent covered data transaction involving data brokerage of the same data with a country of concern or covered person; and (2) reports any known or suspected violations of this contractual requirement in accordance with section 202.302(b).

The difference in each regulatory framework’s treatment of de-identified healthcare data presents a unique compliance challenge. If a transaction involves bulk healthcare data and is subject to both HIPAA and CFIUS requirements, then the practical implications of compliance may be a non-starter for foreign investors or investment funds including foreign investors, irrespective of whether such investors are classified as ‘covered persons’ under the DSP. This may be especially consequential for transactions wherein the buyer’s primary goal is to acquire bulk healthcare data. Parties to such transactions may find that compliance with the HIPAA de-identification rule alone will not guarantee a foreign investor’s ability to use and disclose bulk healthcare data. In fact, compliance with CFIUS requirements may result in the termination of a transaction.

Operational considerations

Another challenge presented by dual-compliance requirements concerns operational processes. Many healthcare entities located in the US maintain databases containing bulk healthcare data in offshore locations. Offshore data maintenance is beneficial for many reasons including cost reduction, insulation against domestic disruptions such as cyberattacks and increased scaling potential. Importantly, healthcare entities can maintain offshore databases in large part because HIPAA regulations do not prohibit this practice, but rather require that covered entities that maintain offshore databases implement contractual and technical safeguards to protect sensitive healthcare data. These safeguards include, but are not limited to, business associate agreements which ensure that vendors that handle PHI on behalf of a covered entity comply with HIPAA requirements and access, audit and integrity controls which regulate how sensitive healthcare data is managed.

While HIPAA regulations allow healthcare entities to maintain offshore databases to manage bulk sensitive healthcare data, CFIUS regulations restrict and sometimes prohibit foreign investors from accessing such sensitive systems. The incongruence of HIPAA and CFIUS regulations may disincentivise foreign investors from investing in US-based healthcare entities with offshore databases given that compliance with applicable CFIUS requirements may result in the foreign investors inability to exercise full ownership rights over the target entity post-closing.

Coverage gap

The third point of tension between HIPAA and CFIUS regulations relates to scope. Specifically, healthcare M&A lawyers must consider coverage gaps which may expose a transaction to compliance risks. HIPAA is applicable only to covered entities, defined as (1) healthcare providers (both institutional and individual), (2) health plans and (3) entities that process healthcare information; notwithstanding, business associate agreements can extend HIPAA’s scope to third parties that handle PHI.

HIPAA’s narrow scope effectively excludes certain healthcare entities that do not qualify as ‘covered entities’, but who nonetheless handle sensitive healthcare data, who are not subject to HIPAA regulations. For many healthcare M&A lawyers a determination that HIPAA is inapplicable to a transaction can mark the conclusion of regulatory diligence. However, CFIUS requirements concerning bulk sensitive personal data may require that attorneys assess whether the composition of the parties to a transaction involving bulk healthcare data would trigger compliance requirements under the DSP. The coverage gap created by dual-compliance requirements will require that healthcare M&A attorneys engage in additional due diligence efforts to confirm compliance with both regimes.

Navigating incongruent legal frameworks

1. regulatory due diligence for healthcare M&A transactions involving foreign investors should assess HIPAA compliance and whether compliance with CFIUS is required;
2. de-identification is not a solution to CFIUS requirements. Healthcare M&A attorneys should remind foreign-based clients interested in investing in a US healthcare entity that compliance with CFIUS requirements may bar a foreign investor from realising the value of healthcare data if the investor’s goal in acquiring such an asset is to use, share, and/or commercialise the healthcare data;
3. review and revise business associate agreements (BAAs) to ensure that all parties to the transaction remain HIPAA compliant, and include data access provisions that are contingent on adherence to CFIUS regulatory requirements to mitigate against the risk of non-compliance with CFIUS regulations; and
4. healthcare M&A attorneys should emphasise the need for subject matter attorneys for regulatory due diligence given that HIPAA and CFIUS compliance require different expertise.