All of Us Data and Research Center Policy on Sensitive U.S. Data Protection

Updated April 9th, 2025

Background

On January 8, 2025, the U.S. Department of Justice issued a new rule prohibiting access to certain sensitive personal data and biospecimens of U.S. persons and U.S. government-related data. This new rule is available in the US Federal Register, Vol. 90 No.5 at page 1706 for January 8, 2025. A summary of the new rule can be found on the U.S. Department of Justice website.

Rule and Analysis

The U.S. Department of Justice rule, issued under 28 CFR Part 202, outlines new federal protections that prohibit:

• Allowing access to certain sensitive personal data and biospecimens of US persons and US government-related data by entities, organizations, and individuals who meet the criteria of “Covered Persons” as defined in the new rule under 28 CFR Part 202.211.
• Allowing further access to such data and biospecimens to “Covered Persons” by entities, organizations, and individuals who obtained initial access to such data from data providers in compliance with the new rule. Specifically, providers of such data and biospecimens are required to contractually require recipients of such data and biospecimens to prevent any subsequent actions that would permit any “Covered Persons” to access such data and biospecimens as set forth in 28 CFR 202.302.

Policy Statement

All institutions that have executed or are applying for an All of Us Data Use and Registration Agreement (DURA) with Vanderbilt University Medical Center must adhere to this US Government rule. The user institution is responsible for ensuring that only authorized users access the All of Us data in compliance with this rule in addition to all applicable laws, rules, and regulations, as well as all professional standards and All of Us Research Program policies applicable to such research, including, as applicable, U.S. Public Health Service and NIH regulations and guidelines such as those relating to use of data from human subjects. Failure to comply may result in termination of access, contract revocation, or referral for legal action, as determined by the All of Us Research Program, Vanderbilt University Medical Center, and applicable federal policy.