A major legal and policy battle unfolded in late 2025 after the Department of Health and Human Services (HHS) moved to allow limited sharing of Medicaid enrollee data with federal immigration enforcement agencies, including U.S. Immigration and Customs Enforcement (ICE).
For decades, Medicaid information had been treated as highly sensitive and was generally walled off from immigration enforcement to protect patient privacy and ensure access to care without fear. That changed when HHS and the Department of Homeland Security revised their data-sharing approach, authorizing the transfer of certain non-clinical information.
The shift triggered immediate backlash from privacy advocates and state governments, with a coalition of Democratic attorneys general filing suit to block the policy, arguing it violated longstanding confidentiality protections and undermined trust in public health programs. In August 2025, a federal judge issued a preliminary injunction halting the data sharing while the case proceeded.
However, in December, U.S. District Judge Vince Chhabria partially lifted that restriction, ruling that federal law does allow HHS to share limited administrative Medicaid data with ICE under defined conditions. At the same time, the court imposed strict limits, barring the sharing of medical records and restricting the use of the data to narrowly defined purposes.
For years, Medicaid data had been treated as functionally protected from law-enforcement use to ensure that vulnerable populations could seek care without fear. That informal firewall began to erode in early 2025, when internal policy changes within the HHS and the Department of Homeland Security signaled a new willingness to allow limited data exchanges.
Privacy advocates and state officials raised alarms that this shift amounted to a quiet breach of trust, even if no systems were hacked. When reports emerged that ICE could request personal details such as names, addresses, and Medicaid ID numbers, a coalition of 20 Democratic attorneys general sued the federal government, arguing that the policy violated federal confidentiality rules and undermined the integrity of public health programs. In August 2025, a federal judge in California issued a preliminary injunction halting the data sharing while the legality of the policy was reviewed.
According to the Notice of Medicaid Information Sharing between the Centers for Medicare & Medicaid Services and the Department of Homeland Security, “ICE notes that it is currently precluded from using this information due to a Preliminary Injunction and it will proceed with this policy when the Preliminary Injunction is lifted… Under that same Preliminary Injunction, CMS is currently precluded from sharing certain Medicaid data with ICE for immigration enforcement purposes.”
In late 2025, a federal judge in Washington, D.C., issued a ruling in Center for Taxpayer Rights v. IRS that temporarily blocked the Internal Revenue Service from sharing sensitive taxpayer information with ICE after finding the agency’s new inter-agency data-sharing policy likely unlawful and inconsistent with longstanding confidentiality protections under the Internal Revenue Code. The judge’s 94-page opinion noted that the IRS had shifted from strict privacy practices to a broad “Data Policy” that saw ICE receiving confidential address data for thousands of taxpayers without adequate legal justification, and that this change was “arbitrary and capricious” under the Administrative Procedure Act.
At the same time, in California v. U.S. Department of Health and Human Services, the U.S. District Court for the Northern District of California reviewed a multistate lawsuit challenging the federal government’s decision to permit HHS to share Medicaid enrollee data with ICE and DHS. It ultimately allows limited disclosure of basic administrative data while upholding privacy limits on clinical and broad personal health information.
These cases show how state governments and attorneys general increasingly act as guardians of privacy, asserting that federal data-sharing policies must comply with both federal statutes and state interests in protecting resident information. States argue that without clear statutory authority and safeguards, federal sharing of tax or health data undermines public trust, discourages participation in programs.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
HHS oversees Medicaid at the federal level and has legal authority to manage, store, and share certain program data with other government agencies when permitted by federal law.
Yes, HHS can share limited Medicaid data with federal agencies such as DHS or ICE when the disclosure is authorized by statute and follows privacy and confidentiality rules.
Typically, only basic administrative information—such as name, address, date of birth, and program identification numbers—may be shared, not full medical records.