Why medical device companies must prioritize compliance with DOJ's Data Security Program

What medical device companies need to know

This regulation is designed to protect U.S. national security by restricting the transfer of bulk sensitive data to foreign entities associated with “countries of concern,” including China, Russia, Iran, North Korea, Cuba, and Venezuela. Sensitive data includes human genomic information, biometric identifiers, precise geolocation, and personal health data even if fully anonymized, de-identified or encrypted.

For the many medical device companies with manufacturing ties to China, compliance is particularly critical. Contract manufacturers in China or company-owned factories often handle sensitive information, such as device design specifications, patient-use data, and quality control metrics. These data flows must now be scrutinized under the DOJ’s framework to avoid inadvertent violations. Failure to comply could lead to severe penalties, from hefty fines to criminal charges, as well as irreparable damage to your company’s reputation.

Operational areas impacted by the rule

1. Manufacturing relationships in China: Companies relying on Chinese facilities for production may need to reassess data-sharing protocols. For example, sensitive information transferred for product development or quality assurance could fall under the rule’s restrictions.
2. Customer service call centers: If customer support operations are outsourced to facilities in China, restrictions on handling sensitive patient or personal data could force companies to restructure their customer service models.
3. Post-market surveillance: Sharing performance and safety data for devices manufactured in China with local partners or vendors could be restricted, complicating compliance and monitoring.
4. Clinical trials: Multinational clinical investigations that involve data exchanges with sites in China may face limits, impacting research timelines and collaborations.

The DSP includes some very narrow exemptions for regulatory approvals, including medical device authorizations, and post-market surveillance in support of FDA-regulated activities, but specific criteria need to be met, as we previously summarized online here. Transactions falling under these exemptions are not subject to the core prohibitions or affirmative compliance requirements, but reporting and recordkeeping rules may still apply.

DOJ’s enforcement flexibility

In a recent communication, the DOJ’s National Security Division (NSD) announced a 90-day grace period for enforcement of the rule, effective from April 8 through July 8, 2025. During this period, the NSD will not prioritize civil enforcement actions against companies that are making good faith efforts to comply with the rule. Examples of such efforts include conducting data audits, renegotiating vendor agreements, and implementing new security measures. This grace period provides companies with a critical window — but not a huge window — to assess their operations and take necessary steps toward compliance without the immediate threat of penalties.

However, NSD has made it clear that willful or egregious violations will still be pursued during this time. Companies should use this opportunity to engage proactively with the NSD’s guidance and ensure their compliance strategies are robust and actionable.

Why this matters

Compliance with the DSP isn’t just about avoiding fines; it’s about protecting your business, your reputation, and your relationships with stakeholders. For companies with manufacturing ties to China, the stakes are particularly high. Sensitive data exchanged with contract manufacturers or factory operations must now be carefully managed to ensure adherence to the rule. Furthermore, proactive compliance can be a strategic advantage. Companies that demonstrate strong data security and ethical practices will stand out in a competitive market, fostering trust with healthcare providers, patients, and regulators alike.

Action plan for companies

To navigate these challenges, companies should take the following steps:

• Audit manufacturing operations: Conduct a detailed review of manufacturing partnerships and facilities in China to identify sensitive data flows that may be impacted by the rule.
• Implement diligence measures: Know what data you are making accessible in transactions and verify that vendors are not covered persons.
• Review vendor contracts: Renegotiate agreements with contract manufacturers to ensure compliance with the DOJ’s restrictions on data transfers.
• Reevaluate outsourcing models: Explore alternative locations for operations such as customer service call centers or surveillance teams that handle sensitive data.
• Enhance employee training: Educate employees, including teams working with foreign manufacturers, on the implications of the rule and how to ensure compliance.

How we can help

Navigating the DSP is undoubtedly challenging, especially for companies with extensive global operations. We can help your organization by evaluating your manufacturing processes, complaint handling processes, data flows, and vendor agreements to identify compliance gaps. Our team is ready to guide you through the transition, offering tailored strategies to help mitigate risk, optimize operations, and ensure your organization remains on solid legal footing.

Conclusion

For medical device companies, especially those with manufacturing ties to China, the DSP is a wake-up call. This regulation requires a critical reevaluation of how sensitive information is shared, processed, and stored across global operations. Ignoring these requirements isn’t just a legal risk: it’s a business risk. By embracing compliance, companies have the opportunity to protect their operations and enhance their reputation as industry leaders and turn compliance into a competitive edge. The clock is ticking, and the time to act is now.

Authored by Jodi K. Scott, Scott Loughlin, and Melissa Levine.