Federal Judge Blocks HHS from Sharing Medicaid Data with ICE
A federal judge has ordered the U.S. Department of Health and Human Services (HHS) to stop sharing the data of Medicaid enrollees with Immigration and Customs Enforcement (ICE) at the Department of Homeland Security for immigration enforcement purposes.
The Medicaid program provides health insurance for individuals with limited income and resources, such as low-income adults, children, pregnant women, elderly adults, and people with disabilities. There are currently around 79 million Medicaid enrollees in the United States. Anyone living in the United States illegally is not permitted to enroll in the federal Medicaid program, although seven states permit non-U.S. citizens to participate in their state Medicaid programs, but do not bill the federal government for the costs.
In June 2025, under the direction of HHS Secretary Robert F. Kennedy Jr., the HHS’s Centers for Medicare and Medicaid Services (CMS) started sharing the personal data of Medicaid recipients with ICE under a new data-sharing agreement. Staff at the CMS attempted to block the data transfers but were overruled by Secretary Kennedy’s advisors. ICE has had a 12-year policy of not using Medicaid data for enforcement purposes, and CMS has previously restricted the use of Medicaid data to the administration of its healthcare programs.
The HHS maintains that the access is being provided as part of the Trump Administration’s push to rid the country of illegal aliens. The data provided by the CMS provides ICE agents with identity and location information to allow those individuals to be found by enforcement officers, and stop federal funds intended for law-abiding Americans from being used to pay for Medicaid benefits for illegal aliens.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
When the decision to share Medicaid data with ICE came to light in June, a coalition of 20 state attorneys general took legal action to prevent the HHS from sharing Medicaid data with ICE; however, a further agreement was entered into in July, which provided DHS with daily access to the Medicaid data stream. The shared data includes names, addresses, birth dates, ethnicities, and Social Security numbers, which may not be downloaded, but can be viewed by ICE officials until September 9, 2025, between 9 a.m. and 5 p.m.
The state attorneys general argued that the sharing of Medicaid data with DHS was in violation of HIPAA and threatened to undermine the Medicaid program. “The move to use Medicaid data for immigration enforcement upended longstanding policy protections without notice or consideration for the consequences,” said California Attorney General Rob Bonta. “As the president continues to overstep his authority in his inhumane anti-immigrant crusade, this is a clear reminder that he remains bound by the law.”
Judge Vince Chhabria, a District Court Judge in the Northern District of California, sided with the state attorneys general and ruled that the HHS must stop sharing Medicaid data with ICE for immigration enforcement purposes that was obtained from the 20 states that participated in the lawsuit. The preliminary injunction will remain in place until 14 days after HHS and DHS complete a reasoned decision-making process that complies with the Administrative Procedures Act, or the litigation is concluded.
In his ruling granting a preliminary injunction, Judge Chhabria said, “Using CMS data for immigration enforcement threatens to significantly disrupt the operation of Medicaid—a program that Congress has deemed critical for the provision of health coverage to the nation’s most vulnerable residents.” While he wrote that there is nothing categorially unlawful about the DHS obtaining data on individuals obtained from government agencies such as the HHS for immigration enforcement purposes, since 2013, ICE has had a well-publicized policy against using Medicaid data for its enforcement activities, and the CMS has a long-standing policy of not sharing patients’ personal data for reasons other than those related to its healthcare programs, and even states so on its website.
“Given these policies, and given that the various players in the Medicaid system have relied on them, it was incumbent upon the agencies to carry out a reasoned decisionmaking process before changing them,” wrote Chhabria in his ruling. “The record in this case strongly suggests that no such process occurred.”
