Confidential to Whom? Medicaid Data, Immigration Enforcement, and the Collapse of Healthcare Trust

In June 2025, the Department of Health and Human Services (HHS) enjoined the Centers for Medicare and Medicaid Services to transfer a Medicaid recipient dataset to Immigration and Customs Enforcement (ICE). The following legal response examined whether the transfer violated HIPAA or the Privacy Rule, and whether any exception sanctioned it. However important those implications, this transfer of data indicates a larger collapse of trust within state and federal healthcare systems. HIPAA’s model of privacy, which leads with the individual’s consent, disclosure, and authorization, does not give justice to the larger structural loss: the trust relationship between vulnerable patients and the healthcare system. A theory of relational privacy reveals how this transfer was a privacy violation of constitutional dimension rather than a mere regulatory violation.

The data transfer itself was not borne of a considered policy process. As per the complaint filed July 1st, 2025, by twenty state attorneys general in the Northern District of California, HHS transferred state Medicaid data files containing personal health records of millions of individuals to the Department of Homeland Security without formal acknowledgement or advance notice to the states. CMS and ICE formalized this arrangement through an Interagency Exchange Agreement which granted ICE direct access to CMS’s Integrated Data Repository and the Transformed Medicaid Statistical Information System on July 9th, 2025. This transfer contained records on over seventy-eight million Medicaid beneficiaries and included names, addresses, birth dates, ethnicities, Social Security numbers, and immigration status.

A preliminary injunction was granted by Judge Vince Chhabria on August 12th, 2025, barring both DHS from using Medicaid data from the twenty plaintiff states for immigration enforcement purposes and HHS from sharing further data with DHS. ICE has maintained an established policy against using CMS data for immigration enforcement since 2013, and CMS in turn had publicly represented that it would not use patient information for purposes other than running its healthcare programs. States, providers, and patients have relied on these assurances since. The court is holding that both agencies were required to undergo a formal decisionmaking process before deflecting from these assurances, and record strongly suggested that the process was avoided. The court, however, did not hold that the sharing of Medicaid data with ICE itself is categorically unlawful, as several federal statutes appear to permit or require agencies to provide information to DHS upon request.

The injunction is thus procedural instead of substantive. This gap is where the importance of relational privacy theory lies: whether the trust relationship itself carried constitutional weight. 

As of December 2025, Judge Chhabria partially denied the states’ motion for a preliminary injunction as to basic biographical and contact information. The coalition returned to court in March 2026 after the HHS shared the “large and complex data set” with ICE, apparently in violation of the injunction’s terms. The case and its procedural posture are ongoing. 

HIPAA’s framework emulates a propertarian model of privacy, meaning that it considers personal health information as something owned by the individual, much like owning property. The framework asks: Did you consent to sharing this information? Was it disclosed to an authorized party? Was the disclosure within permissible limits? If the answer is “yes” to all three questions, then the information must have been transferred with the individual’s consent. This fits within Medicaid enrollment forms, as enrollees must sign acknowledgments of privacy practices. Thus, consent is given. 

This framework, however, falls apart within the context of whether or not the consent was voluntary. It is meaningless in any morally relevant sense. Medicaid is a program for individuals who do not have a viable alternative to accessing healthcare; there is no real decision to enroll since enrollment is a necessity. The enrollee “consents” to the given data terms because refusal means lack of care. Furthermore, the enrollee has no power to bargain over how their data will be used, cannot opt out of data collection while retaining benefits, and have no practical recourse when information is given outside of the healthcare context. 

Helen Nissenbaum offers this perspective through her theory of contextual integrity: privacy is violated when an information flow breaches either the norms of appropriateness governing what information belongs in a given context, or the norms of distribution governing how it may legitimately move once shared. HIPAA regulates categories of “protected health information” within the healthcare system, but does not ask whether a given flow conforms to the contextual norms under which beneficiaries originally shared their data. The Medicaid-ICE transfer breaches both norms. Immigration enforcement is not part of the healthcare context within which Medicaid data was collected.

The law’s treatment of enrollment as voluntary consent systematically underprotects the program’s beneficiaries. HIPAA’s structural framework allows for the regulation of data flows within the healthcare system. Its logic does not apply to the external transfer of data for immigration and enforcement purposes. This is named explicitly in California v. HHS, which alleges that the transfer violates HIPAA, the Social Security Act, the Federal Information Security Modernization Act, the Privacy Act, Administrative Procedure Act, and the Spending Clause. This reflects how HIPAA alone is not sufficient doctrinally for the alleged harm.

This argument is strengthened by the December 2025 ruling. Judge Chhabria’s rejection of the states’ HIPAA, Privacy Act, and Social Security Act claims as applied to basic biographical data effectively confirmed what relational privacy theory maintains: HIPAA addresses the wrong question. Under HIPAA’s propertarian framework, the sharing of names, addresses, and contact information with ICE was “clearly authorized by law,” as the framework only considers disclosure within a permitted category. Relational privacy, however, models a different viewpoint: the transfer as a violation of contextual norms under which the information was originally shared, versus whether it was formally authorized. This standard reframes the sharing of information with immigration enforcement as a violation of the healthcare relationship regardless of whether HIPAA technically permits it. In place of closing the constitutional question, the December ruling exposed why a new framework is necessary.

A chilling effect occurs when government action deters individuals from exercising protected rights or accessing public benefits, even without direct prohibition. Behavioral consequences of this exposure are already measurable, as Tara Watson’s landmark study demonstrates reduced Medicaid participation among children of noncitizens, even when those children are themselves citizens and face no eligibility barriers in the face of heightened federal immigration enforcement. This is evidenced by declarations submitted in California v. HHS documented disenrollment, avoided emergency care, and mounting financial strain on safety net hospitals in real time. As seen by the alleged injunction-violating sharing of a second large dataset with ICE by HHS since the March 2026 motion to enforce, harm is ongoing and current procedural remedies alone cannot address its extent. 

The injunction can stop a data transfer, but cannot communicate to betrayed communities now viewing Medicaid as a surveillance risk that it is safe to trust the system again. Watson’s findings demonstrate chilling effects persist well beyond specific triggering conditions. This pattern is clearly applicable to this instance. Medicaid has become dangerous to use, and enrolled individuals have responded to this danger accordingly. By identifying only the procedural question, administrative wrongdoing is highlighted. Courts must be willing to identify relational questions that probe into the requirements of the Constitution: government data practices which preserve safe conditions  for public health systems to function within. HIPAA’s propertarian framework is severely lacking and cannot achieve this goal, but relational privacy can. A public health system which inspires fear in its patients is not a properly functioning system.

Isabella Grande is a graduate student at Brown University, concentrating in Biotechnology. She is a staff writer for the Brown University Undergraduate Law Review and can be contacted at isabella_grande@brown.edu.