NIH Follows in FDA’s Footsteps and Adopts “Bulk Sensitive Data” Policy That Goes Beyond DOJ Rule Requirements

The National Institutes of Health (“NIH”) has become the latest federal agency to impose obligations that go beyond those required by the watershed U.S. Department of Justice (“DOJ”) data security program (“DSP”) with its new Policy on Enhancing Security Measures for Human Biospecimens (“NIH Policy”). The NIH Policy comes on the heels of the additional restrictions on clinical trials that the U.S. Food and Drug Administration (“FDA”) announced this summer in a press release.

While these updates are relevant to the life sciences industry in particular, they may signal a broader regulatory trend that merits attention across all industries.

Even companies outside of the life sciences industry should take note of these policy developments as they may foreshadow a broader agency trend to restrict data access by countries posing a national security risk to the United States. Until DOJ issues further interpretative guidance, companies should be prepared for narrow applications of the DSP’s restrictions and consider potential operational impacts if future guidance limits, rather than loosens, the DSP’s prohibitions. It is now even more critical for companies to solidify their positions and efforts to comply with the DSP—even those entities that determine that the DSP does not apply to them.

DSP Background and Timeline

The DSP prohibits or restricts companies from making sensitive data of U.S. persons and U.S. government‑related data accessible to China, Cuba, Iran, North Korea, Russia, and Venezuela (the “countries of concern”) and “covered persons,” such as foreign companies owned or controlled by entities or individuals in a country of concern. For a discussion of the program’s requirements, see our full analysis, our additional analysis on compliance, webinar, second webinar, and podcast. All requirements under the DSP are now fully in effect,[1] but DOJ has not published additional guidance since it issued its preliminary compliance guide on April 11, 2025.

NIH Restricts Sharing of Biospecimens

The NIH Policy took effect on October 24, 2025, and establishes NIH’s expectations for “ensuring the security of human biospecimens whose collection, obtainment, storage, use, or distribution are supported by NIH funds” such as grants, cooperative agreements, and other intramural support, consistent with the DSP.

The NIH Policy prohibits entities that hold human biospecimens of U.S. persons from directly or indirectly distributing the human biospecimens to institutions or parties located in countries of concern when those biospecimens are collected, obtained, stored, used, or distributed using ongoing or new NIH funding mechanisms. Notably, the NIH Policy does not expressly state that this restriction only applies to U.S. persons (as defined under the DSP). Rather, it makes clear that this policy applies to those entities that obtained human clinical and research biospecimens from U.S. persons—including biorepositories, institutions, and investigators.

This policy is also broader than the DSP because unlike the DSP’s “bulk thresholds,” even a single covered biospecimen can seemingly fall within the scope of the NIH Policy.

U.S. companies are exempt from the NIH Policy only if use of the human biospecimens is:

• necessary to meet transactions required or authorized under federal law or international agreements or otherwise necessary to comply with federal law;
• needed in rare and compelling circumstances where the facility and personnel in the country of concern possess capabilities and/or expertise not available elsewhere, the use of the biospecimen cannot be delayed to a time when capability and/or expertise is available elsewhere, and the individual to whom the data pertains has consented; or
• made at the request of the individual whose biospecimen was collected, obtained, or stored using NIH funds; for purposes of diagnosis, prevention, or treatment of that individual; and is in compliance with applicable federal laws and policies.

Companies relying on these exemptions must document the quantity and content of the biospecimen material that was shared or distributed, which must be provided to NIH upon request.

Further, although the NIH Policy applies to biospecimens obtained with “ongoing or new” NIH funding, the agency stated that it “expects the research community to recognize the risks posed by” sharing this information with countries of concern, even if conducted in connection with previous NIH funds or support.

On the same day it issued the NIH Policy, NIH also issued a separate notice about controlled-access data repositories (“CADRs”) titled Required Security and Operational Standards for NIH Controlled-Access Data Repositories. Among other things, this notice reaffirms an NIH update from April 2025 that prohibited access to NIH CADRs and associated data by institutions located in countries of concern (as defined under the DSP).

Considerations for Companies in the Life Sciences Industry

Companies in the life sciences industry should assess whether their operations are subject to these broad NIH restrictions and review existing controls to determine if they align with these new limitations. Where necessary, companies may need to alter the sharing or distribution of U.S. person biospecimens to comply with the NIH Policy.

Companies relying on certain exemptions under the DSP should evaluate whether the restrictions imposed by NIH will affect their compliance obligations. For example, companies using biospecimen data supported by NIH funds may not be able to rely on exemptions that are technically available under the DSP, such as the exemption for official business of the U.S. government (28 C.F.R. § 202.504), unless one of NIH’s limited exceptions applies.

[1]The DSP took effect on April 8, 2025. On April 11, 2025, DOJ announced that it will not prioritize civil enforcement actions for DSP violations that occur from April 8 through July 8, 2025, as long as a company is engaging in good-faith efforts to come into compliance during that time. The remaining compliance obligations under the DSP, including due diligence and reporting requirements, became effective on October 6, 2025.