CMS Data Sharing Plan Ignites Privacy Firestorm

The Centers for Medicare & Medicaid Services (CMS) confirmed in mid-July that it has executed a memorandum of understanding giving U.S. Immigration and Customs Enforcement (ICE) direct query access to the national Medicaid eligibility database. The agreement allows ICE to retrieve names, home addresses, dates of birth and Social Security numbers for any beneficiary flagged as a “person of interest” by immigration analysts. Early coverage in The Guardian reported that the data would be used to “locate undocumented immigrants and prevent Medicaid fraud,” a justification critics describe as both overly broad and legally dubious. (The Guardian) Subsequent investigations by WIRED and the Los Angeles Times revealed that CMS did not conduct a formal Privacy Impact Assessment before executing the deal, despite internal policies that require such reviews whenever personally identifiable information moves outside the agency. (WIRED, Los Angeles Times)

Policy Roots in a Renewed Immigration Agenda
CMS Administrator Dr. Mehmet Oz—a television personality turned political surrogate who was appointed to the post after campaigning for former President Donald Trump in 2024—has framed the data-sharing pact as a fraud-control measure that “protects taxpayer dollars.” Speaking on Fox News days before the agreement became public, Oz highlighted a larger $200 billion Medicaid “reinvestment” promised under the recently enacted One Big Beautiful Bill and argued that tighter eligibility policing is the price of preserving the program. (New York Post) Parallel language appears in a May CMS bulletin that warns states against “illegally using federal Medicaid dollars to cover health care for individuals who are in the country unlawfully.” (Centers for Medicare & Medicaid Services) Policy analysts note that the bulletin creates a compliance narrative—improper state payments—to justify handing immigration authorities an unprecedented trove of health data.

Possible Violations of Federal Privacy Protections
Health-privacy scholars quickly questioned whether the memorandum conflicts with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, which restricts disclosures of protected health information to law-enforcement agencies unless a court order, subpoena or specific statutory mandate exists. Attorneys at the Georgetown Law Center on Privacy and Technology point to Section 1902(a)(7) of the Social Security Act, which limits state Medicaid agencies to sharing identifiable data only “for purposes directly connected with plan administration.” ICE investigations, they argue, fall outside that perimeter. Former HHS officials interviewed by WIRED noted that CMS historically required de-identification or aggregate reporting when sharing data with external entities, making the new agreement a radical departure from precedent. (WIRED)

Operational Impact on Medicaid Enrollment and Public Health
Advocacy groups representing immigrant communities predict that the policy will deter mixed-status families from seeking Medicaid coverage for eligible children, echoing the chilling effects observed after the 2019 public-charge rule. Kaiser Family Foundation modeling suggests that a five-percent drop in enrollment among non-citizens would translate into roughly 320,000 children and 180,000 pregnant individuals losing coverage in the next plan year. Hospitals in border states warn that uncompensated-care burdens could spike if beneficiaries forgo preventive services and appear later in emergency departments. Public-health officials in California have also voiced concern that fear-driven disenrollment could undermine vaccination campaigns amid resurgent measles clusters.

Legal Challenges Take Shape
On 22 June a coalition of 38 House members led by Rep. Alexandria Ocasio-Cortez sent a letter to HHS demanding suspension of the pact and release of the Privacy Impact Assessment, which CMS now concedes was never completed. (Representative Ocasio-Cortez) The American Civil Liberties Union and National Immigration Law Center announced intent to file suit in the U.S. District Court for the District of Columbia, alleging violations of both HIPAA and the Administrative Procedure Act. Meanwhile, California’s Attorney General has signaled that the state may invoke its own Confidentiality of Medical Information Act to block data transfers involving residents. Legal scholars compare the looming court fight to Braidwood v. Becerra, warning that a narrow ruling could still produce nationwide disruption through injunctive relief.

Financial and Compliance Risks for Health Systems
Hospitals and managed-care organizations must reckon with spillover consequences even though the agreement binds federal agencies, not providers. Immediate risks include:

• Enrollment volatility that complicates capitated payment forecasting for Medicaid managed-care plans.
• Uncompensated-care costs for safety-net facilities if patients disenroll out of fear.
• Audit exposure if states accelerate eligibility reviews in response to federal pressure.
• Reputational damage for health systems perceived as complicit in immigration enforcement activities.

Provider and State Responses
Several state Medicaid agencies have begun to explore technical safeguards that could throttle the flow of beneficiary data from state systems to the federal hub, citing authority under existing state privacy statutes. Health information exchanges in Illinois and Washington have offered to supply de-identified utilization data that would allow CMS to monitor fraud without revealing addresses or Social Security numbers. The National Association of Medicaid Directors has urged CMS to suspend the agreement until an independent privacy review is completed and a clear legal rationale is published.

Outlook for Oversight and Policy Reversal
Senate Finance Committee Chair Ron Wyden announced plans for an oversight hearing in September, calling the data-sharing pact “an egregious abuse of public-health information for political ends.” The Government Accountability Office has also opened an inquiry into whether CMS violated the Privacy Act of 1974 by failing to publish a System of Records Notice before expanding access to personal data. Although Administrator Oz insists the agreement will proceed, litigation could force a pause. If injunctive relief arrives before open-enrollment begins on 1 November, states may avoid a second round of disruptive coverage losses that marred the 2023 post-pandemic redetermination cycle.

Strategic Considerations for Health-Sector Leaders
Legal uncertainty now surrounds every Medicaid data feed that flows through federal servers. Compliance officers should inventory vendor connections, confirm that only minimum necessary data move across interfaces, and prepare patient-facing communications that clarify what information may be shared with federal agencies. Boards will also need to weigh the reputational cost of remaining silent against the political risk of confronting CMS publicly.

The episode illustrates how hard-won norms around patient privacy can unravel rapidly when immigration enforcement intersects with health-care administration. Absent swift corrective action, distrust may ripple far beyond immigrant communities and undermine the very program the current CMS leadership claims to protect.